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.INFRASTRUCTURE  LOG 

_DAY  94:  We  don’t  have  the  insights  to  maintain  our  IT  service- 
level  agreements!  We  can’t  deliver  against  our  objectives!  How 
are  we  supposed  to  do  our  jobs  in  the  dark? 

_Gil  rented  a  giant  searchlight  to  give  us  a  little  “visibility.” 
He’s  also  temporarily  blinded  all  the  administrators. 

_DAY  96:  I  found  a  better  way.  Hardware,  software  and  services 
from  IBM  Service  Management  give  us  the  integrated  visibility, 
control  and  automation  we  need — like  dashboards  that  give  us 
insights  to  manage  against  business  objectives.  We  can  improve 
governance  and  minimize  risks.  And  we  can  keep  tabs  on  the 
status  and  health  of  our  services  at  each  stage  of  their 
lifecycle  while  tracking  our  SLAs  in  real  time. 

_Now  if  we  could  just  get  our  vision  plan  to  cover  “rampant  idiocy. 


Tivoli. 


Take  the  IT  Service  Management  assessment  at: 

IBM.COM/TAKEBACKCONTROL/VISIBLE 
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SECURITY 


Diebold  Named  Global  Physical  Security 
Systems  Integrator  of  the  Year 


Recognized  as  Frost  &  Sullivan's 
2008  Global  Physical  Security 
Systems  Integrator  of  the  Year, 
Diebold  Security  leads  through 
innovation,  integration  and  a 
relentless  commitment  to  deliver 
tomorrow's  technology,  today. 

Our  goal  is  simple.  Each  day,  we 
work  to  help  protect  you,  our 
customer,  from  criminal  activity  and 
critical  loss  while  enabling  business 
in  a  safe,  secure  and  efficient 
environment.  We  provide  the 
thought  leadership,  cutting-edge 
technology  and  integrated 
solutions  you  depend  on  daily. 

Rely  on  award-winning  Diebold 
Security  to  reduce  shrink,  mitigate 
risk  and  preserve  your  peace  of  mind. 


To  find  out  how  Diebold  can  address  your  stores'  security 
concerns  with  a  comprehensive  security  solution 

CONTACT  A  DIEBOLD  REPRESENTATIVE  AT  (800)  300-1434 
OR  VISIT  WWW.DIEBOLDSECURITY.COM/RETAIL 
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[  FROM  THE  EDITOR] 


six  people.  In  recognizing  them,  we  aim  to  tap 
into  their  individual  and  collective  wisdom  to 
extract  suggestions,  strategies  and  tips  to  aid 
the  cause  of  all  security  leaders.  You’ll  find  this 
year’s  winners  and  their  leadership  lessons 
starting  on  page  30.  Read  Marc  Fidanza’s 
comments  on  professionalism  in  the  security 
industry,  or  Jim  Hutton’s  observation  that 
great  security  leadership  requires  a  mind-set 
similar  to  that  of  a  sales  account  rep.  It’s  great 
food  for  thought,  and  for  action. 

Here’s  hoping  those  lessons  can  help  you 
continue  to  build  the  excellence  of  your  own 
security  organization.  That’s  the  real  prize  for 
CSOs.  And  at  the  same  time,  I  hope  that  you 
get  the  occasional  pat  on  the  back  that  you 
deserve  too. 

-Derek  Slater,  dslater@icxo.com 


Eyes  on 
the  Prize 


According  to  the  old  saw,  “Everybody 
loves  a  winner.”  That’s  encouraging, 
because  in  mid-March  CSO  had  the 
honor  of  winning  the  Grand  Neal  award 
from  American  Business  Media. 

The  Grand  Neal  is  considered  by  most  folks 
in  the  business  publishing  world  to  be  the 
highest  award  given-a  sort  of  Best  in  Show 
prize,  in  this  case  designating  Scott  Berinato’s 
February  2007  article  on  copper  theft  as 
the  top  piece  of  business  journalism  (among 
more  than  1,000  entries)  in  the  ABM’s  annual 
competition. 

Now  any  editor  worth  his  salt  will  tell  you 
that  the  real  measure  of  quality  is  whether 
readers  find  something  useful  and  interesting. 
Happily,  reaction  from  readers  and  sources 
alike  told  us  this  article  was  great  by  that  yard¬ 
stick  as  well.  (If  you  missed  it,  you  can  judge 
the  article  for  yourself  at  http://www.csoonline 
.com/article/221225.  You  can  also  find  an  asso¬ 
ciated  slideshow  with  some  in-the-field  metal- 
theft  images  from  DTE  CSO  Michael  Lynch  at 
http://www.csoonline.com/5pecial/slideshows/ 
copper  theft/ .)  But  a  pat  on  the  back  from  your 
peers  is  always  all  right  too. 

In  the  same  spirit  we’re  pleased  to  present 
to  you  the  honorees  of  our  CSO  Compass 
Awards.  This  annual  award  recognizes  a  select 
number  of  CSOs,  CISOs,  researchers,  consul¬ 
tants  and/or  academicians  who  have  made 
career-long  contributions  to  their  organiza¬ 
tions  and  to  the  security  field.  This  year’s  hon¬ 
orees  were  recognized  at  our  CSO  Perspectives 
Conference  and  provided  those  in  attendance 
with  a  lively  and  informative  panel  discussion 
about  everything  from  security  governance  to 
personal  career  development. 

And  that’s  the  real  point.  The  awards  aren’t 
intended  solely  as  a  back-patting  exercise  for 
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Before  another  visitor  abandons  your  site,  consider 
why  sites  like  eBay®  Travelocity?  and  Charles 
Schwab®  use  VeriSign®  Extended  Validation  (EV)  SSL 
Certificates.  This  new  technology  turns  the  address 
bar  in  high-security  browsers  green,  indicating  it’s 
safe  to  transact  on  a  site.  That’s  the  power  of  the 
Web’s  most  trusted  name  in  security.  VeriSign. 

So  the  world  can:  proceed  securely  to  checkout. 


(j|  Get  your  free  EV  white  paper  at  www.verisign.com/dm/evssl  or  call  1-866-893-6565. 
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Compliance, 
Procrastination 
and  Red 
Flag  Rules 

I  have  always  been  struck  by  the  lag  time  I 
see  in  businesses  dealing  with  compliance 
issues.  There  is  a  large  gap  between  when 
a  law  or  rule  goes  into  effect  and  when 
businesses  actually  address  the  law  or  rule. 
Why  is  that? 

I  am  a  great  procrastinator  and  as  such 
I  understand  procrastinating.  When  I  was  in 
college  l  put  off  writing  my  senior  thesis  (on 
terrorism)  until  three  weeks  before  it  was  due, 
and  then  cranked  out  120  pages  in  the  nick  of 
time.  But  why  is  it  that  so  many  businesses 
take  so  long  to  get  compliant?  Every  piece  of 
research  I  have  done  over  the  past  six  years 
has  said  that  compliance  is  the  top  driver  for 
security  investment.  (Loyal  readers  of  this 
column  will  remember  that  I  have  taken  the 
community  to  task  for  using  compliance  as 
the  crowbar  to  get  funding  for  security,  as 
opposed  to  using  a  risk-based  model.)  So  we 
know  that  dollars  are  flowing  to  ensure  com¬ 
pliance.  I  attribute  the  delay  to  ROSP:  the  Rule 
of  Security  Procrastination. 

I  have  seen  this  rule  in  action  with  HIPAA. 
Years  after  the  original  compliance  deadlines, 
many  hospitals  are  just  beginning  to  address  it. 
PCI:  The  deadlines  have  been  rolling  by  for  the 
past  couple  of  years  and  still  many  businesses 
are  only  beginning  to  act  in  earnest.  The 
Sarbanes-Oxley  Act  was  a  bit  of  an  exception 
to  the  ROSP  rule,  but  I  think  we  all  know  why 
that  is.  (It  has  something  to  do  with  the  CEO 
going  to  jail.)  A  new  regulation  generating  a  lot 
of  noise  but  not  much  in  the  way  of  action:  Red 
Flag  Rules.  Red  Flag  Rules  are  provisions  cov¬ 
ered  under  Sections  114  and  315  of  the  Fair  and 
Accurate  Credit  Transactions  Act  of  2003  that 
require  financial  institutions  to  implement  an 


identity  theft  prevention  program.  I’m  hearing 
more  and  more  about  it-mostly  CSOs  grousing 
about  the  requirements-but  the  deadline  for 
compliance  is  November  1, 2008.  I’m  guessing 
most  businesses  will  miss  that  deadline. 

What  should  you  take  away  from  all  this? 
The  first  thing  is  that,  as  with  any  rule,  there 
is  some  truth  and  some  fiction  to  ROSP.  Most 
businesses  are  forced  into  what  appears  to  be 
procrastination  as  they  struggle  to  interpret 
what  it  actually  means  to  be  compliant,  since 
so  many  regulations  are  exceedingly  vague. 
The  truth  component  is  more  telling:  Busi¬ 
nesses  will  often  take  a  wait-and-see  attitude 
with  a  rule  or  regulation-“Let’s  wait  and 
see  if  anyone  actually  enforces  it;  then  we’ll 
deal  with  it."  The  second  thing  is  that  there 
is  an  understandable  lag  time  between  when 


a  rule  comes  down  and  when  it  is  actually 
implemented  as  businesses  decide  how  best 
to  get  compliant.  That  is  when  CSOs  go  and 
“get  smart"  about  what’s  going  on  and  what  it 
means  to  them  and  their  businesses. 

The  problem,  in  my  humble  opinion,  is  that 
the  time  taken  to  get  smart  is  often  too  long. 

As  a  result,  many  good  regulations  and  rules 
fail  to  produce  the  required  results. 

-Bob  Bragdon,  bbragdon@cxo.com 
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You  know 
access  points. 
Gateways. 
Portals. 

Doors  are 
a  natural. 


HID  Global,  the  world  leader  in  access  control, 
brings  you  EDGE™-  efficient  and  trouble-free 
IP-based  solutions  to  extend  the  network  to 
your  company’s  doors. 


HID’s  EDGE  access  control  solutions  are  designed  to  fully  leverage  your 
company’s  IT  infrastructure,  eliminating  controllers  and  connecting  easily 
with  a  network  cable  to  each  door.  Simple  to  install  and  administrate, 
EDGE  creates  tangible  cost  savings,  while  using  very  little  bandwidth. 
And,  of  course,  you  also  get  the  security,  reliability  and  support  that  have 
made  us  the  top  name  in  physical  access  control.  EDGE  from  HID.  It’s  a 
natural  move  for  the  network.  We  call  it  bringing  intelligence  to  the  door. 


ACCESS  intellige 


nee. 


what’s  on  your  mind?  Security  leaders  discuss 
and  debate  at  www.csoonlme.com 
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Laptops 
Gone  Wild 


Michael  Overly  says  CSOs 
should  look  more  carefully  at 
“remote  wipe”  services 

Sadly  this  is  not  the  title  of  new 
spring  break  video.  Rather  it 
reflects  the  continuing  growth 
industry  that  is  lost  and  stolen 
laptops.  As  the  number  of  lap¬ 
tops  going  missing  grows  at  an  ever  alarm¬ 
ing  rate,  many  businesses  have  adopted 
policies  regarding  laptop  security,  tried  to 
better  educate  their  users  regarding  the 
security  risks  associated  with  this  problem, 
and  implemented  stronger  user  authen¬ 
tication  and  even  encryption  on  laptops 
containing  sensitive  information.  Proactive 
businesses  are  now  taking  a  further  step  in 
deploying  “phone  home”  software  in  their 
laptops  or  installing  applications  that  can 
be  triggered  remotely  to  irretrievably  erase 
or  encrypt  data  on  a  missing  laptop.  These 
are  all  steps  in  the  right  direction.  There  are, 
however,  some  risks  associated  with  remote 
erasure  software  that  should  be  addressed 
in  your  contract  with  the  vendor. 

While  not  all  vendor  agreements  for  the 
provision  of  remote  erasure  software  pre¬ 
sent  the  same  problems,  certain  trends  are 
present: 

■  Be  aware  of  agreements  that  give  the 
vendor  the  ability  to  remotely  access 
data  on  the  missing  laptop,  other  than 
information  indicating  the  IP  address 
or  other  similar  information  identify¬ 
ing  its  location.  Some  agreements  are 


written  broadly  enough  to  permit  the 
vendor  access  to  almost  everything 
stored  on  the  laptop,  creating  a  security 
risk  of  its  own.  Agreements  should  be 
written  narrowly  to  define  the  type  of 
data  the  vendor  can  access. 

■  Many  agreements  permit  the  vendor  to 
coordinate  with  local  law  enforcement 
in  recovering  the  laptop  and  prosecut¬ 
ing  the  thief.  Some  agreements  neglect 
the  importance  of  strictly  controlling 
the  sensitive  information  on  the  laptop 
during  this  process.  Agreements 
should  be  written  to  ensure  (i)  the 
company  to  whom  the  laptop  belongs 
is  kept  apprised  of  all  developments 
in  the  case  and,  more  importantly,  all 
access  to  and  use  of  information  stored 
on  the  laptop;  and  (ii)  the  vendor 


is  not  relieved  of  its  confidentiality 
and  security  obligations  during  the 
investigation. 

■  Agreements  should  be  carefully 
revised  to  ensure  strict  procedures 
are  followed  and  consents  obtained 
before  information  on  the  laptop  is 
erased.  Unless  an  erase  command 
comes  from  a  specifically  authorized 
person  at  the  client,  using  a  previously 
defined  process,  the  vendor  should  be 
responsible  for  any  unauthorized  com¬ 
mands  to  erase  information  (regard¬ 
less  of  whether  the  erasure  arises 
from  a  bug  in  the  vendor’s  software,  a 
hacker  attacking  the  vendor’s  systems, 
employee  misconduct  at  the  vendor,  or 
simple  negligence  on  the  part  of  the 
vendor).  -Michael  Overly 
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BLOG  POST 

A  Funny  Thing 
Happened  on 
the  Way  to  RSA 

Jeff  Bardin  recounts  a 
former  colleague’s  tale  of 
application  security  woe 

On  my  way  to  San  Francisco, 
I  ran  across  on  old  friend 
from  my  security  past  who 
is  not  a  CISO.  We  started 
discussing  current  events, 
the  conference,  the  beauty  of  San  Francisco 
and,  inevitably,  his  current  plight. 

He  indicated  that  the  corporate  lead¬ 
ership  over  the  IT  group  was  pushing  to 
remove  maintenance  on  their  SIEM  prod¬ 
uct.  He  also  indicated  this  to  be  standard 
fare  for  products  within  the  infrastructure 
realm  of  IT.  The  infrastructure  had  been 
gutted  over  the  past  several  years  in  an 
effort  to  reduce  expense.  Without  consid¬ 
eration  for  the  impacts  and  the  continued 
reduction  in  security  posture,  the  company 
under  the  tutelage  of  the  CIO/COO  decided 
that  chewing  gum  and  bailing  wire  are  ade¬ 
quate  controls  for  maintaining  availability 
of  mission-critical  systems. 

Under  the  weight  of  the  ever-growing, 
revenue-generating,  Internet-facing,  mis¬ 
sion-critical  applications,  the  infrastruc¬ 
ture  bends  and  cracks  in  the  wind  like 
bamboo.  Only  this  bamboo  is  rotting.  The 
decay  continues  as  new  applications  are 
developed  and  new  application  tools  are 
purchased. 

Scans  run  against  these  revenue-gen¬ 
erating  applications  identify,  on  average, 
nearly  1000  OWASP  Top  Ten  vulnerabili¬ 
ties  in  the  code.  Application  layer  firewalls 
were  deployed  as  a  risk  mitigation  strategy; 
the  problem  is  that  anytime  there  is  an  issue 
with  performance  or  some  other  problem 
relative  to  the  revenue-generating  appli¬ 
cations,  the  fingers  immediately  point  to 
the  app  layer  firewall.  Each  finger  pointed 
results  in  another  rule  being  modified  to 
open  traffic  to  the  defect-prone  code. 

New  applications  and  middleware  are 
purchased  without  consideration  of  the 
security  infrastructure.  As  a  result,  the 


app  layer  firewall  is  seen  as  a  roadblock  to 
progress  as  many  times  the  new  software 
does  not  work  with  the  app  layer  firewall 
(discovered  after  purchase  and  implemen¬ 
tation).  More  rules  are  removed  to  the  point 
that  the  app  layer  firewall  now  resembles 
swiss  cheese  and  smells  like  limburger. 

You  could  see  the  despair  in  my  friend’s 
eyes.  He  knew  he  had  built  a  solid  program, 
but  the  leadership  decided  that  these  tools 
have  limited  value  and  it  is  a  “damn  the 
torpedoes,  full  steam  ahead”  approach  to 
generating  revenue.  The  only  risk  they  con¬ 
sider  is  that  of  not  increasing  revenues. 

I  guess  that  what  happened  on  the  way 
to  the  conference  was  not  so  funny  after  all. 

-Jeff Bardin 

BLOG  POST 

Notes  from 
ISC  West 

Four  short  years  ago  I  spoke  on 
a  panel  at  ISC  West  about  the 
convergence  of  information 
technology  and  physical  secu¬ 
rity  technologies.  Twenty  peo¬ 
ple  attended  that  session  and  the  exhibitors 
had  no  idea  what  we  were  talking  about. 
This  year  it’s  all  about  IP.  It  seems  that 
everything  at  the  show  is  now  designed  to 
run  on  your  IP  network;  the  exhibitors  are 
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now  talking  about  APIs  and  video  com¬ 
pression.  But  what  is  also  amazing  is  how 
digital  technology  is  expanding  the  capa¬ 
bilities  of  traditional,  old  school,  physical 
security  tools. 

Also  in  the  spotlight:  economic  espio¬ 
nage.  Lynn  Mattice  (former  CSO  of  Bos¬ 
ton  Scientific  and  now  with  the  Security 
Executive  Council)  joined  the  FBI’s  Tom 
Mahlik  to  discuss  what  the  FBI  is  doing 
to  help  businesses  address  this  evergreen 
challenge.  I  ran  into  Mattice  and  Security 
Executive  Council  Founder  Bob  Hayes  on 
the  show  floor  and  heard  about  how  CEOs 
have  been  after  the  FBI  to  help  them  solve, 
or  at  least  minimize,  this  tremendous  prob¬ 
lem.  I’ve  also  had  some  conversations  on 
this  topic  recently  with  some  leaders  in  the 
financial  industry  who  indicated  that  this  is 
a  quickly  growing  problem  for  them  and  of 
great  concern.... 

-Bob  Bragdon,  Publisher,  CSO 
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Identity-Aware  Networks: 
Brinninq  Efficiency  to  Compliance 
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•The  top  pain 
points  in 
meeting 
compliance 
are  time/ 
resource 
consumption 
(61%)  and 
dispersed 
data  (55%). 

•68%  say  an 
“identity 
aware”  net¬ 
work  solution 
would  be  very 
or  extremely 
valuable. 

•A  security 
breach  (59%) 
or  compli¬ 
ance  initiative 
(54%)  is  most 
likely  to 
prompt  con¬ 
sideration  of 
an  identity 
aware  network 
solution. 


Security,  risk  and,  more  importantly,  compliance 
are  top  of  mind  for  CSOs  at  most  enterprises. 
Each  of  these  IT  management  challenges  is 
complicated  by  today’s  collaborative  network 
environments. 

“IT  already  has  the  tools  to  satisfy  compliance  require¬ 
ments,  but  it  takes  too  much  time  and  energy  to  get 
it  done,”  says  Brian  Nugent,  president  and  CEO  of  San 
Francisco-based  Applied  Identity.  It’s  an  identity-aware 
network  strategy,  he  says,  that  can  deliver  the  opera¬ 
tional  efficiencies  CSOs  need  to  breeze  through  audits. 


A  recent  study  by  IDG  Research  Services  reveals  that 
a  strong  majority  of  information  security  leaders  do 
indeed  see  the  value  in  an  identity-aware  network,  but 
they  are  still  waiting  on  catastrophe  as  the  catalyst  for 
adoption. 


The  Compliance  Drain 

In  these  highly  regulated  times,  CSOs  are  on  the  hot 
seat,  struggling  to  keep  pace  with  regulatory  require¬ 
ments  amidst  ever-shrinking  budgets.  In  fact,  respon¬ 
dents  say  that  in  working  toward  compliance  they  are 
primarily  challenged  by  time  and  resource  constraints 
and  data  being  dispersed  across  multiple  systems,  fol¬ 
lowed  closely  by  difficulties  in  applying  access  control 
and  enforcing  policy. 

It  is  today’s  IP-based  network  topologies  that  exacer¬ 
bate  the  problem  with  respondents  most  often  com¬ 
plaining  that  such  networks  provide  no  unified  view  of  a 
user's  network  activity,  add  to  infrastructure  complexity, 
and  make  it  difficult  to  maintain  access  policies. 

What’s  more,  the  fact  that  networks  are  largely  open, 
inviting  users  in  who  are  outside  the  immediate  circle 
of  trust,  creates  even  more  havoc,  Nugent  explains.  Ac¬ 
cess  control  and  auditing  becomes  more  burdensome 
because  the  number  of  disparate  identities  increases, 
and  at  the  same  time  more  visibility  and  higher  granu¬ 
larity  is  needed  to  protect  assets. 

“Critical  asset  protection  is  by  far  the  first  thing  you 
should  do  to  secure  the  enterprise,”  says  Nugent.  “But 
asset  protection  and  data  classification  are  highly 
inter-related.”  For  example,  only  a  very  small  percent¬ 
age  of  any  workforce-particularly  those  that  include 
contractors  and  partners-requires  access  to  sensitive 
applications  and  data. 


Identity-Aware  Networks  Make  for 
Best  Practice 

New  network  strategies  are  crucial  at  this  juncture. 
Enterprises  must  be  able  to  differentiate  network  ac¬ 
cess  based  on  who  users  are  and  what  they  do.  “This 
is  a  universal  best  practice  today  because  identity  is 
the  only  unique  ‘constant’  identifier  in  the  network  to 
determine  global  access  policies,”  says  Nugent. 

An  “identity-aware”  network  enables  enterprises  to 
gain  visibility  into  and  auditing  of  user  access  to  critical 
resources  based  on  their  identity,  define  global  access 
policies  based  on  user,  role  or  group,  and  then  enforce 
such  policies  at  the  network  level. 

Nugent  points  to  several  primary  advantages  that 
identity-aware  networks  have  over  traditional  IP-based 
networks:  Identity-aware  networks  offer  better  visibility 
and  granularity,  facilitate  compliance,  and  result  in  much 
greater  efficiency.  A  full  68  percent  of  respondents 
agree,  indicating  that  an  identity-aware  network  is  a 
very  or  extremely  valuable  common-sense  best  practice. 


Catalyst  for  Change 

Still,  CSOs  seem  to  be  in  reactive  mode.  In  considering 
an  identity-aware  network  solution,  the  two  catalysts 
most  frequently  referenced  by  respondents  include  a 
security  breach  or  data  compromise  or  a  compliance 
initiative. 

But  is  waiting  on  catastrophe  the  right  strategy? 
Nugent  emphatically  says  no.  “If  you  don't  look  at 
this  proactively,  your  overall  risk  increases  and  the 
network  becomes  unmanageable,”  Nugent  concludes. 
"Strengthening  your  network  defenses  with  identity 
goes  a  long  way  toward  minimizing  the  irreversible 
damage  a  data  breach  can  have  on  your  business.” 

To  learn  more  about  the  impact  an  identity-aware  net¬ 
work  can  have  on  your  business,  go  to  www.csoonline. 
com/whitepapers/identity  now  for  a  free  download  of 
the  full  white  paper. 
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Safe  harbors  for  encryption— not  safe? 


Edited  by  Sarah  D.  Scalet 


RISK  ASSESSMENT 

Is  That  USB  Download  Really 
Worth  the  Security  Risk? 

Scoring  methodology  used  by  City  of  London  Police  helps  officers  see  whether  the  risks  involved 
with  sharing  data  are  worth  the  benefits.  Could  this  evaluation  criteria  work  for  your  organization? 


Some  of  the  most  sensitive  digital  data  in  London  resides  on 
the  servers  of  the  City  of  London  Police-and  a  great  deal  of 
effort  goes  into  making  sure  that  it  isn’t  downloaded  onto 
portable  devices  and  then  lost  or  stolen. 

Some  of  the  precautions  are  technical,  says  Gary  Brailsford, 
CIO  and  head  of  information  management  at  the  City  of  London 
Police,  which  is  tasked  with  policing  London’s  financial  district, 
the  so-called  Square  Mile.  (The  Metropolitan  police  force  handles 
the  general  policing  of  London.)  Officers’  desktop  computers,  for 
example,  are  configured  so  that  data  must  be  stored  on  secure, 
centrally  managed  network  drives,  rather  than  on  local  C  drives. 
The  use  of  e-mail  for  file  sharing  is  actively  discouraged  and  is 
monitored.  Software  from  security  vendor  DeviceLock  prevents 
data  from  being  downloaded  onto  floppy  drives  or  USB  thumb 
drives.  And  when  it  is  necessary  to  use  portable  media-for 
instance,  so  that  data  can  be  shared  with  external  agencies 
such  as  the  Crown  Prosecution  Service  and  the  Serious  Fraud 


Office-the  department  has  a  preferred  device:  MXI  Security’s 
Stealth  MXP  biometric  USB  drive. 

Rather  than  leaving  it  up  to  officers  to  decide  when  they 
can  use  the  biometric  USB  drive,  however,  the  department  has 
created  a  detailed  risk-assessment  policy-one  that  not  only 
establishes  a  framework  for  making  decisions  but  also  allows 
officers  insight  into  the  process. 

Here’s  how  it  works.  Before  an  officer  can  download  any  data 
onto  removable  media,  he  or  she  must  file  a  formal  application 
to  do  so  and  explain  what  information  is  involved,  how  sensitive 
it  is,  its  security  classification,  why  downloading  is  required,  what 
steps  will  be  taken  to  protect  it,  and  what  the  consequences  of 
loss  might  be. 

Based  on  the  answers,  officers  can  then  apply  two  scoring 
methodologies  used  by  decision  makers:  one  for  risks  involved  in 
sharing  the  data,  the  other  for  benefits  accruing.  In  doing  so,  they 
can  see  the  likelihood  of  their  request  being  granted,  and  at  what 
security  level  the  decision  will  be  made.  This  part  of  the  form  isn’t 
mandatory,  explains  Brailsford,  but  is  included  for  informational 
purposes  and  to  demonstrate  transparency  into  the  process. 
(Visit  csoonline.com/article/329014  to  see  an  excerpt  of  the 
risk  assessment.) 

Completed  applications  that  show  excessive  risk  without  the 
necessary  benefit  are  turned  down,  Brailsford  says.  Alternatively, 
officers  requesting  permission  to,  say,  download  data  onto 
CD-ROMs  might  be  directed  to  use  more  secure  means,  such  as 
the  biometric  USB  device.  As  a  final  backstop,  the  downloading 
of  information  with  the  very  highest  security  classifications  is 
simply  prohibited. 

“The  intention  is  to  encourage  the  officer  to  make  a  judgment 
call  about  the  desirability  of  downloading  the  data  in  question,” 
Brailsford  says.  “It’s  not  about  blindly  asking  permission  and 
filling  in  the  questions.  Officers  need  to  think  about  the  fuller 
implications  of  what  they  are  asking  for,  and  weighing  the  risks 
and  the  benefits.”  -Malcolm  Wheatley 


Illustration  by  Francis  Blake 
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THREAT  WATCH 


Last  winter,  researchers  at  Princeton 
University  demonstrated  how  they 
could  get  data  off  encrypted  disks  by 
extracting  the  encryption  key  from  RAM, 
even  if  the  machine  was  password-protected, 
in  sleep  mode  or  had  just  been  powered  down. 
Called  the  “cold  boot”  attack-in  part  for  its 
use  of  sprayed  canned  air  to  slow  down  data 
decay-the  attack  has  had  security  profes¬ 
sionals  breaking  out  in  a  cold  sweat,  and 
encryption  vendors  scrambling  to  create 
countermeasures. 

But  what  about  lawmakers?  Of  the  40  or  so 
states  that  have  passed  legislation  requir¬ 
ing  organizations  to  notify  citizens  whose 
personal  information  has  been  compromised, 
most  have  established  a  “safe  harbor”  for 
encrypted  information.  The  theory  is  that  if 
lost  or  stolen  personally  identifiable  informa¬ 
tion  has  been  encrypted,  it  hasn’t  really  been 
compromised,  because  it  can’t  be  accessed. 

Of  course,  security  experts  have  known  all 
along  that  encryption  isn’t  foolproof.  But  with 
all  the  new  attention  being  paid  to  encryption 
vulnerabilities,  will  lawmakers  change  their 
tune  about  the  safe  harbor  for  encryption?  It 
doesn’t  appear  likely. 

“I  haven’t  heard  anyone  who 
is  directly  involved  in  the  leg¬ 
islation  raise  that  issue,”  says 
David  Sohn,  senior  policy  counsel 
at  the  Center  for  Democracy  and 
Technology,  a  public  interest 
group  focused  on  technology  and 
civil  liberties.  Nor  do  any  state  legislatures 
seem  to  be  interested  in  modifying  their  safe- 
harbor  provisions. 

This  lack  of  interest  is  apparently  the  result 
of  two  things:  the  difficulty  of  getting  such  bills 
passed  in  the  first  place  and  the  unlikelihood 
of  a  real-world  threat  from  a  cold  boot  or 
similar  attack. 


The  states  with  data-breach  notification 
laws  have  generally  simply  adapted  the  first 
such  law,  passed  in  California,  without  a  lot  of 
differentiation.  “I  think  enough  of  the  state 
laws  have  followed  similar  patterns  that  at  the 
moment,  I  don’t  sense  that  companies  that 
have  to  live  with  the  laws  are  finding  compli¬ 
ance  to  be  impractical,"  Sohn  says. 

The  other  consideration  is  simply  that,  as 
far  as  we  know,  no  one  has  been  hit  yet  with  a 
cold-boot  attack.  While  the  vulnerability  is  well 
demonstrated  and  a  proof-of-concept  utility 
from  McGrew  Security  is  widely  available,  the 
exploit  still  requires  technical  knowledge 
and  the  will  to  perform  a  rather  involved 
procedure  to  get  at  the  contents 
of  the  hard  disk. 

“Basically,  the  fact  that  it’s 
technically  doable  doesn’t  mean 
it’s  likely  to  happen,”  says  Tom 
Ruffolo,  president  of  eSecurity- 
ToGo,  a  security  and  compliance 
consultancy.  “The  question  is,  what  is  the 
likelihood  that  a  particular  computer  will  be 
attacked  with  this  [exploit]?” 

According  to  Sohn  and  security  researcher 
Wesley  McGrew  of  McGrew  Security,  however, 
the  cold-boot  attack  does  point  out  a  weakness 
in  the  current  laws  and  in  the  thinking  of  many 
companies:  The  data-breach  laws  don’t  specify 


what  is  needed  to  qualify  as  “encryption.” 
Theoretically,  a  company  could  encrypt  its  data 
with  R0T13  and  not  have  to  notify  consumers 
in  the  event  of  a  breach.  (R0T13  is  a  simple 
13-character  shift  cipher  sometimes  used  to 
hide  the  punch  line  of  jokes  in  newsgroup  mes¬ 
sages.  It’s  about  as  secure  as  a  papier-mache 
padlock.)  A  better  approach,  they  say,  would 
be  to  specify  some  level  of  security  needed  to 
trigger  the  safe-harbor  provision. 

“You  might  want  to  include  at  least  some 
kind  of  standard  in  there  saying  the  data  pro¬ 
tection  has  to  be  strong  enough  to  provide  sig¬ 
nificant  protection,”  Sohn  says.  “You  wouldn’t 
have  to  get  real  specific  [in  the  bill].” 

Says  McGrew:  “I  believe  that,  at  the  least, 
regulations  should  require  a  set  of  ‘secure 
practices’  to  go  along  with  encryption  require¬ 
ments  to  ensure  that  the  encryption  technolo¬ 
gies  are  being  used  in  the  safest  possible  way.” 

Regardless  of  the  compliance  implications, 
McGrew  says  organizations  should  be  sure  to 
understand  the  level  of  protection  that  their 
disk-encryption  products  provide.  “Does  this 
product  erase  the  key  from  memory  when 
I  suspend  or  hibernate  my  laptop?”  he  asks. 
“The  answer  should  be  yes.  Do  I  leave  my  lap¬ 
top  unattended  while  encrypted  file  systems 
are  open?  The  answer  should  be  no." 

-Rick  Cook 


Should  new  attack  on 
encrypted  disks  change  the  way 
lawmakers  approach  disclosure 
legislation  “safe  harbors’? 


Cold  Feet  About 
Cold  Boot 
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BIGFIX  actually  lets  you  see.  We  offer 
the  IT  industry’s  only  converged  security 
and  operations  platform  that  enables 
real-time  visibility  and  control  of  globally 
distributed  desktop,  mobile  and  server 
infrastructures.  Are  you  using  LANDesk, 
McAfee,  Microsoft  or  Symantec?  Relax. 
You  won’t  have  to  unplug  a  thing.  We  just 
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A  VERY  DANGEROUS  WORLD 

For  IT  pros  who  want  to  instantly  turn 
on  the  lights,  call  510-652-6700  xl  16  or 
visit  www.bigfix.com/geteyes.  We’ll  give 
you  unprecedented  visibility.  At  your  site.  / 

Any  time.  And  we’re  betting  you  won’t  let 
us  pull  the  plug  after  our  30-day 
tour  de  force.  Because  you  wouldn’t 
willingly  stumble  around  in  the  dark, 
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waiting  for  nocturnal  predators. 
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4  Ways  to  Make  a 
Business  Case  for 
Identity  Management 

Sure,  a  good  identity  management  program  is  great 
for  security  and  oftentimes  necessary  for  compliance. 
But  there  are  other  business  benefits  as  well.  Here  are 
some  tips  on  making  your  case. 


1  Articulate  the 
Performance  and 
Productivity  Benefits 

“It  all  comes  down  to  putting 
things  in  black  and  white  and 
explaining  how  IDM  can  help 
reduce  the  costs  related  to  a 
certain  action  or  set  of  business 
processes,”  says  Martin  Gee,  CTO 
at  ICSynergy,  an  identity  manage¬ 
ment  consultancy.  Many  times,  an 
IDM  case  can  be  made  as  it  relates 
to  help  desk  costs.  You  could 
explain  how  much  time  per  month 
the  company  is  spending  on 
password  resets,  and  how  much 
money  an  IDM  system  that  puts 
password  resets  into  the  users’ 
hands  could  save  the  company. 

2  Create  a 

Tangible,  Phased 
Implementation  Plan 

If  you  don’t  have  an  idea  of  how 


you  are  going  to  accomplish 
what  you  say  you  will,  an  IDM 
implementation  can  become  a 
never-ending  spiral,  says  Bryan 
Palma,  vice  president  of  global 
information  security  at  EDS 
and  former  CISO  of  PepsiCo. 
“Organizations  that  try  to  do  too 
much  end  up  not  moving  the 
ball  down  the  field  at  all.  You 
have  to  get  tangible  around  your 
operational  plan-what  you  can 
get  done  within  a  reasonable  time 
frame-and  then  incrementally 
push  up  the  bar  as  you  move 
forward.” 

This  key  concept  of  “under¬ 
promise  and  overdeliver’’  can  be 
accomplished  by  taking  a  phased 
approach  to  IDM  that  produces 
results  at  various  intervals,  says 
Chris  Gervais,  SOA  program  archi¬ 
tect  and  technology  relationship 
manager  at  Partners  Healthcare 


in  Boston.  “Use  a  short-term 
vision  (within  a  year  we  want  to 
make  sure  we  can  synchronize 
user  passwords  across  all  enter¬ 
prise-facing  systems)  instead  of  a 
long-term  one  (our  goal  is  to  have 
a  completely  pervasive  distributed 
federated  IDM  system  that  allows 
us  to  interoperate  and  connect 
with  customers  and  reduce  the 
cost  of  M&As)  right  off  the  bat.” 

3  Have  a  “Mr.  or 
MS.  IDM” 

The  project’s  success  is  dependent 
on  the  buy-in  and  participation  of 
business  groups  at  every  step  in 
the  process.  That’s  why  Gervais 
and  Palma  agree  that  every  com¬ 
pany  should  have  a  “Mr.  or  Ms. 
IDM’’-one  person  responsible  for 
explaining  where  the  organiza¬ 
tion  is  manually,  what  the  vision 
for  automation  is  and  how  the 
plan  will  be  executed. 

Gervais  says  the  person  in 
charge  should  be  focused  on 
building  relationships  with  the 
departments  most  affected  by 
implementation  of  IDM  software. 
“That  includes  infosec  depart¬ 
ments,  customer-facing  depart¬ 
ments,  the  help  desk  (which 
bears  the  burden  of  a  lot  of  the 
operational  issues  with  IDM)  and 
perhaps  the  director  of  applica¬ 
tion  development,”  he  says. 


4  Avoid  Scare 
Tactics  or 
Pigeonholing 

Gervais  also  says  to  avoid  the 
use  of  fearmongering  to  prod  the 
business  into  getting  something 
done.  “That’s  almost  like  crying 
wolf.  You  run  out  of  credibility 
quickly  because  you  haven’t  built 
a  business  case.  You’ve  built  an 
emergency,”  he  says.  That  isn’t  to 
say  you  shouldn't  articulate  and 
communicate  risk,  but  when  you 
fall  back  on  it  consistently,  you’ve 
created  a  grudging  way  for  the 
business  to  accept  your  solution. 

The  other  no-no  is  focusing 
on  IDM  as  a  solution  to  only  one 
problem.  If  you  do  that,  Gervais 
says,  you  artificially  limit  its 
business  value  and  pigeonhole 
the  plan.  “Because  budgets  are 
limited,  you  have  to  make  a  busi¬ 
ness  case  for  something  that  is 
highly  leverageable.  You  need  to 
be  agile  enough  to  take  business 
input,  iterate  over  it  and  continu¬ 
ally  evolve  your  program  to  meet 
those  needs,”  he  says.  That 
means  constantly  tying  the  ben¬ 
efits  of  IDM  back  to  operational 
efficiency,  reduction  of  redundant 
infrastructure,  consolidation  of 
policies,  improved  authentica¬ 
tion  infrastructure  and  other 
procedures. 

-Katherine  Walsh 
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“I  am  fearless. 


I  am  fearless.” 


I  drive  security  strategy  for  a 
global  500  company. 

I  provide  secure  access  to  business 
resources  anytime,  anywhere. 

I  believe  security  should  connect 
people,  not  isolate  them. 


Secure  anytime,  anywhere  access.  When  it  comes  to  security,  most  businesses  understand  what  it  means 
to  fail.  But  few  can  imagine  what  it  would  mean  to  succeed.  RSA’s  information-centric  security  solutions 
can  move  your  business  forward.  That’s  why  we’re  the  chosen  security  partner  of  more  than  90  percent  of 
the  Fortune  500.  Don’t  just  secure  your  business.  Accelerate  it.  Learn  more  at  www.rsa.com/go/glide  The  Security  Division  of  EMC 
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HOWTO 
CHOOSE  A 
HOME  PC 
BACKUP 
METHOD 

It’s  not  only  mission-critical  business  infor¬ 
mation  that  should  be  backed  up.  The  data 
on  your  home  PC  needs  the  same  treat¬ 
ment.  You  can  choose  between  the  tradi¬ 
tional  method  of  saving  files  on  storage  media 
yourself  and  a  newer  way  of  storing  your  data 
with  an  online  service  provider.  We  talked  to 
two  experts  about  the  security,  management 
and  cost  benefits  of  both  methods. 


Factor  1:  Security 

From  a  disaster  recovery  perspective,  the  risks 
of  keeping  backup  data  and  original  data  in 
the  same  place  are  obvious.  “Any  event  that  is 
going  to  take  out  your  PC  or  server,  like  a  fire, 
is  also  going  to  take  out  your  backup,”  says 
Adam  Couture,  principal  research  analyst  at 
Gartner.  Having  that  data  at  a  remote  location 
ensures  that  it  remains  safe,  even  if  the  origi¬ 
nal  data  is  lost. 

Another  benefit:  encryption.  Gary  Chen, 
senior  analyst  at  the  Yankee  Group,  says 
encryption  is  mandatory  with  online  backups. 
Encryption  of  USB  keys,  external  hard  drives 
and  other  methods  of  backup  is  an  option,  but 
it’s  not  something  that  many  people  choose  to 
enable,  he  says,  which  means  data  on  stolen  or 
misplaced  external  media  remains  vulnerable. 

Factor  2:  Ease  of  Management 

Online  data  backup  is  also  easier  to  maintain 
because  it’s  fully  automated,  says  Couture. 
While  traditional  methods  can  be  easy  to 
manage  if  you’re  diligent,  you  have  to  be 
motivated  to  stay  on  top  of  things.  “There  isn’t 
a  [universal]  sound  strategy  for  what  to  back 
up  and  when  to  back  it  up,”  he  says. 

The  online  process  is  built  around  a 
software  program  that  runs  on 
a  particular  schedule  (once  a 
day  or  once  a  week,  depending  on 
your  needs).  The  data  you  want  to 
back  up  (which  could  be  classified 
by  folder  or  file  type,  again,  according 
to  your  needs)  is  collected,  compressed 
and  encrypted,  and  then  automatically 
transferred  back  to  the  remote  servers  of  the 
provider,  eliminating  the  need  for  intervention. 

Backing  up  online,  however,  does  require 
you  to  have  a  constant  and  reliable  Internet 


connection  at  all  times,  and  it  can  be  stressful 
on  bandwidth.  Typically,  an  initial  backup 
is  conducted  when  you  sign  up  for  the  ser¬ 
vice  and  is  followed  by  incremental  backups 
from  then  on.  Chen  says  that  if  the  initial  data 
transfer  proves  to  be  unmanageable  for  the 
connection,  some  providers  will  allow  you 
to  send  them  a  backup  on  a  portable  stor¬ 
age  device.  They  will  store  the  original  data 
on  their  server,  and  from  then  on  perform 
incremental  remote  backups,  which  are  less 
bandwidth-intensive. 

Factor  3:  Cost 

The  main  difference  in  pricing  is  whether 
you  want  to  pay  more  up  front  for  a  storage 
device  and  media,  or  pay  a  smaller  amount 
on  a  monthly  basis  for  an  online  service.  If 
you  go  the  online  route,  Couture  says  that 
some  providers  base  pricing  on  the  amount  of 
data  they’re  protecting,  others  base  it  on  the 
number  of  machines  they’re  backing  up,  and 
still  others  base  it  on  the  number  of  versions  of 
each  file  being  backed  up. 

EVault  and  Mozy  are  two  of  the  high-end 
service  providers,  says  Chen,  while  IBackup 
and  Carbonite  provide  services 
typically  geared  toward  consum¬ 
ers  and  small  office/home  office 
users. 

Prices  vary.  IBackup  has 
plans  that  start  at  $9.95  per 
month  for  10GB,  and  Carbonite 
advertises  a  price  of  $49.95  per 
year  for  any  size  backup.  Symantec 
also  has  integrated  its  traditional  legacy 
product,  Backup  Exec,  with  an  online  service 
called  the  Symantec  Protection  Network,  with 
prices  starting  at  $25  per  month  for  5GB. 

-Katherine  Walsh 
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AWARENESS 


tive  once  people  return  to  work? 

Training  needs  to  be  made  relevant  and  real. 
You  need  to  use  examples  of  things  that  are 
specific  to  what  they’re  doing  on  a  daily  basis. 
But  theoretical  training  is  essential  too.  Many 
mistakes  are  theoretical  things.  Learning 
about  how  to  build  a  layered  defense,  even 
though  it’s  theoretical,  is  one  of  the  best 
defenses.  Sanitizing  output  and  validating 
input:  Those  are  your  best  defenses.  If  you’re 
not  doing  those  things  properly  in  the  first 
place,  teaching  people  specific  lines  of  code 
to  add  to  their  applications  isn’t  going  to  help 
them.  You  have  to  learn  the  theory  to  really 
understand  security. 

Other  than  training,  how  do  we  improve 
information  security? 

Security  basically  has  three  legs:  technology, 
people  and  processes.  Ultimately,  building  a 
secure  system  is  a  process:  It  involves  technol¬ 
ogy,  but  it  also  involves  people  working  on 
the  systems.  You  have  to  make  appropriate 
technology  choices,  but  it’s  how  you  use  that 
technology  that  matters.  The  training  is  criti¬ 
cal  so  everyone  understands  specifically  what 
they  need  to  do  to  maintain  security. 

-Katherine  Walsh 


CSO:  What  are  the  major  challenges  you 
face  when  it  comes  to  educating  develop¬ 
ers  on  critical  security  issues? 

Cheyne:  It’s  tough  to  get  people  to  change 
the  way  they  do  things.  All  of  the  common 
attacks  we’ve  known  about  for  a  very  long  time 
are  still  out  there,  and  people  still  regularly 
make  mistakes  regarding  them.  Getting 
the  developers  to  want  to  be  in  the  room  is 
another  challenge.  They  don’t  want  to  be  sit¬ 
ting  through  an  eight-hour  training  class. 

Why  do  we  fail  to  write  secure  applica¬ 
tions?  Is  it  lack  of  awareness?  Compla¬ 
cency?  Lack  of  understanding? 

All  those  things.  But  companies  are  not 
allocating  enough  time  and  money  for  security 
because  they  just  see  it  as  a  line  item.  They 
don’t  understand  that  it  needs  to  be  intricately 
woven  throughout  the  entire  process. 


How  hard  is  it  to  convince  companies  that 
fixing  bugs  in  the  design  phase  is  cheaper 
than  doing  it  farther  down  the  lifecycle? 

People  usually  get  it.  It’s  a  classic  IBM  study:  A 
$1  bug  in  design  will  cost  more  in  development, 
and  so  on.  That’s  because  in  design,  you  just 
start  over.  At  the  point  of  development,  you’ve 


CAREER 

A  CLEAR  DIFFERENCE 

Want  to  make  an  extra  $19K  a  year?  That’s  the  average  salary 
difference  between  IT  professionals  with  and  without  a 
security  clearance,  according  to  one  recent  survey.  Below, 
average  salaries  for  the  five  highest-paying  job  categories: 


CLEARED 

UNCLEARED 

IT  management 
executive 

$116,935 

$86,179 

Database 

admin-Oracle 

$101,905 

$75,000 

IT  management 
project  manager 

$100,089 

$75,000 

Project/program 

management 

$94,231 

$57,549 

Systems  engineer 

$93,202 

$60,000 

Source:  2008  salary  survey  done  by  ClearanceJobs.com,  a  recruiting  website  for 
professionals  with  U.S.  security  clearances. 


WAKE-UP 

CALL 

People  are  the  weak  link  in  any 
company’s  security  environment. 
But  they  can  be  made  stronger, 
with  the  right  kind  of  education. 


Rob  Cheyne,  founder  and  CEO  of 

Safelight  Security  Advisors,  believes 
that  security  is  everyone’s  job.  The 
philosophy  that  everyone  shares  a 
piece  of  the  responsibility  is  at  the  corner¬ 
stone  of  his  approach  to  security  education: 

He  specializes  in  software  developers,  but  he 
trains  employees  of  all  stripes  in  everything 
from  security  awareness  to  security  fundamen¬ 
tals.  Cheyne,  a  veteran  of  Symantec,  ©stake  (a 
computer  security  services  company  that  he 
helped  found)  and  Internet  Security  Advan¬ 
tages,  spoke  with  CSO  about  his  classroom 
approach-training  sessions  run  from  a  couple 
days  to  a  week-and  why  he  thinks  enterprise¬ 
wide  security  education  is  critical. 


already  written  code.  Now  you  not  only  have  to 
change  the  design,  but  you  have  to  change  the 
code.  If  you  find  a  bug  even  farther  down  the 
line,  in  testing,  you  basically  have  to  rework 
the  entire  system.  But  there’s  still  that  chal¬ 
lenge  of  getting  people  to  do  something  about 
it  once  they  get  it. 

How  do  you  ensure  that  training  is  effec¬ 


May  2008  www.csoonline.com  17 


by  Stacy  Collett 


NAC  Attack 

New  tech  gadgets  and  a  highly  mobile  workforce  have  raised  the 
security  stakes  for  corporate  networks.  Network  Access  Control  to  the 
rescue?  Perhaps— but  users  face  a  confusing  morass  of  options. 


The  traveling  business  reps  for 
a  Midwest  insurance  company 
are  supposed  to  generate  rev¬ 
enue  for  the  firm— but  IT  staff 
recently  discovered  that  many 
of  them  were  bringing  home  value  and 
viruses  to  the  company. 

“They  saw  through  their  antivirus 
[management  software]  that  they  were  hav¬ 
ing  problems,  but  they  didn’t  know  where 
[the  viruses]  were  coming  from,”  explains 
Rich  Langston,  senior  manager  of  product 
management  at  Symantec,  speaking  about  a 
customer’s  experience.  The  firm  tracked  the 
viruses  and  found  that  out-of-date  antivirus 
software  on  the  travelers’  laptops  caused 
the  security  hole.  The  IT  staff  didn’t  catch 
the  problem  because  these  road  warriors 
rarely  spent  time  at  the  home  office  updat¬ 
ing  or  patching  their  security  software. 

It’s  a  valuable  lesson  for  companies  on 
the  go. 

Today’s  highly  mobile  workforce,  along 
with  a  plethora  of  new  tech  gadgets  and 
access  to  the  Internet  from  anywhere,  has 
raised  the  security  stakes  for  corporate 
networks.  Laptops,  PDAs  and  cell  phones 
were  just  the  beginning.  The  number  of  net¬ 
work  threats  has  increased  exponentially, 
with  VoIP  phone  capabilities,  Web  access 
from  hotels,  dorm  rooms,  airports  and  cof¬ 
fee  shops,  and  even  internal  sabotage. 

Network  Access  Control  (NAC),  a  set 
o  chnologies  that  aim  to  ensure  that 
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only  authorized  users  with  fully  patched 
and  virus-protected  hardware  can  access 
corporate  resources,  is  more  important 
than  ever— not  just  for  outside  guests  gain¬ 
ing  accesses  to  internal  networks,  but  for 
employees  who  have  no  business  in  the 
company’s  more  data- sensitive  systems. 

A  full  NAC  cycle  solution  includes  pre¬ 


admission  inspection  and  post- admission 
monitoring,  a  policy  decision  and  enforce¬ 
ment  point,  and  a  method  of  quarantine  and 
remediation  for  noncompliant  machines. 
When  a  user  requests  access,  the  machine  is 
checked  and,  if  found  to  be  compliant,  it  is 
allowed  to  access  the  network.  Post-admis¬ 
sion  monitoring  will  ensure  that  the  user 

Illustration  by  Colin  Johnson 


Secure  Sensitive  Information  With 
Protegrity's  Defiance®  Security  Suite 


Fulfilling  your  obligation  to  protect  sensitive  data  protects  your  business.  It  keeps  your 
brand  safe.  It  helps  you  comply  with  regulations.  It  safeguards  your  employees 
and  customers. 

Protegrity  is  proud  to  deliver  the  Defiance®  Security  Suite,  a  comprehensive  Data  Security 
Management™  solution  designed  to  protect  data,  protect  web  applications,  and  centrally 
manage  and  report  on  security  policy.  Defiance®  Security  Suite  meets  the  unique 
requirements  of  the  distributed  enterprise  allowing  for  organization-wide  administration 
from  a  single  point,  encryption,  key  management,  separation  of  duties,  web  application 
firewalls,  and  management  and  compliance  reporting. 

To  learn  more  about  Defiance®  Security  Suite  contact  Protegrity  at  203-326-7200 
or  visit  www.protegrity.com. 
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Protecting  your  data. 
Protecting  your  business. 


>>  TOOLBOX 


stays  compliant  by  entering  the  assessment/ 
deeision/enforcement  process  again  peri¬ 
odically.  If  the  user  is  found  to  be  noncom- 
pliant,  NAC  solutions  should  offer  a  means 
of  quarantine  and  remediation  to  bring  the 
user  into  compliance.  The  user  should  then 
be  allowed  to  access  the  network,  once  again 
under  post- admission  monitoring. 

NAC  Roadblocks 

Despite  the  horror  stories,  adoption  of  NAC 
solutions  has  been  slow.  Only  27  percent  of 
European  and  North  American  companies 
with  1,000  employees  or  more  have  already 
adopted  NAC  as  of  November  2007,  and 
15  percent  will  pilot  or  adopt  in  the  next  12 
months,  according  to  Forrester  Research  in 
Cambridge,  Mass. 

Gartner  Research  Director  Lawrence 
Orans  says  there  are  three  issues  causing 
network  managers  to  delay  deployment  of 
network  access  control  solutions. 

1.  The  waiting  game.  “People  tell  us 
they  think  the  technology  is  too  immature,” 
Orans  says,  but  that’s  not  entirely  true. 
“There  are  some  very  strong  proven  solu¬ 
tions  from  small  companies,  and  you  have 
some  of  the  big  players  out  there  making 
the  biggest  noise.”  For  starters,  Microsoft 
in  February  began  shipping  its  Network 
Access  Protection  (NAP)  solution  with 
Windows  Server  2008. 

“It  is  a  product  and  a  framework,”  says 
Robert  Whiteley,  a  senior  analyst  at  For¬ 
rester.  “The  framework  has  been  around, 
so  there  are  bits  and  pieces”  that  companies 
have  been  deploying,  but  they  couldn’t  fully 
commit  until  now,  he  says. 

Cisco’s  Network  Admission  Control 
solution  has  also  been  released  but  hasn’t 
lived  up  to  some  analysts’  and  users’  expec¬ 
tations.  “That  combination  of  events  has 
caused  people  to  view  the  technology  as  not 
mature,”  Orans  adds,  but  it  has  also  created 

Major  vendors  have 
pledged  to  work 

with  Microsoft’s 
Network  Access 
Protection  and  the 
Trusted  Network 
Connect  specification. 


a  window  of  opportunity  for  the  little  guys. 
(Gartner  tracks  18  of  them.) 

But  some  companies  can’t  afford  to 
wait.  MedicAlert,  a  provider  of  medical 
emergency  information  services,  needed  to 
secure  the  health  records  of  some  450,000 
customers  while  granting  safe  access  to 
employees,  caregivers  and  the  patients 
themselves  to  update  information.  The 
nonprofit  organization  thought  about 
waiting  to  see  how  the  market  would 
play  out,  and  it  experimented  with 
some  homegrown,  open-source  solutions, 
but  ultimately  decided  to  go  with  a  Web 
access  control  solution  in  a  services-ori- 
ented  architecture. 

“What  convinced  me  was  the  cost  of  not 
doing  it,”  says  Martin  Fisher,  vice  president 
of  IT  at  Turlock,  Calif. -based  MedicAlert. 
“While  it  is  relatively  expensive,  the  cost  of 
not  doing  it  in  terms  of  reputation  lost  if  we 
actually  had  a  breach  would  be  enormous. 
While  my  background  in  development  leads 
one  to  think  about  building  everything  one¬ 
self,  it  was  also  clear  that  we  would  be  bet¬ 
ter  off  going  with  experts  in  the  field  rather 
than  building  it  ourselves.” 

2.  Money  matters.  “We  also  hear 
objections  about  expense”  in  deploying 
NAC  solutions,  Orans  says.  “There  are 
many  ways  to  do  NAC;  not  every  one  is 
expensive.”  There  are  three  categories  of 
NAC  solutions— endpoint  software  that  is 
installed  on  all  desktops  and  laptops,  appli¬ 
ances  that  attach  to  the  network  and  NAC 
embedded  in  the  infrastructure. 

The  most  economical  way  to  deploy 
NAC,  according  to  Orans,  is  to  look  at  the 
capabilities  in  existing  infrastructure,  net¬ 
works  and  security  products.  “See  if  your 
current  vendors  have  some  embedded  NAC 
functionality  that  you  can  turn  on,”  he  says. 
“That  can  be  your  IPS  (intrusion  preven¬ 
tion  system)  vendor  or  Microsoft’s  embed¬ 
ded  NAC  support  on  the  Vista  platform 
with  Windows  server.  Endpoint  protection 
software,  such  as  McAfee,  Symantec  and 
Sophos,  also  has  NAC  capabilities.” 

Some  land-switch  vendors  like  Nortel 
Networks  and  HP  also  have  NAC  solutions. 
“If  your  network  is  made  up  of  switches 
from  those  vendors,  you  can  add  on  some 
components  and  enable  NAC,”  Orans  says. 

Appliances,  which  sit  either  in  line  with 
all  network  traffic  or  “out  of  band”  for  spe¬ 
cific  traffic,  are  very  popular  but  more  costly, 


NAC 

Options 


Network  Access 
Control  choices 
fall  into  three 
general  categories 

NAC  infrastructure 
Providers: 

■  Juniper  Networks 
-HP 

-  Cisco  Systems 

-  Nortel  Networks 

NAC  Appliance  Vendors: 

-  Cisco  Systems 

-  ConSentry  Networks 

-  ForeScout  Technologies 

-  Lockdown  Networks 
>  Mirage  Networks 

-  Nevis  Networks 

-  TippingPoint-Intrusion 
Prevention  System  appliance 

-  Aruba  Networks 

Endpoint  Software  Vendors: 

-  Bradford  Networks 

-  Checkpoint 

-  Impulse  Point 

-  InfoExpress 

-  McAfee 
- Sophos 

-  Symantec 
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particularly  if  several  boxes  are  needed  to 
handle  a  large  number  of  network  users. 
Infrastructure  expenses  are  the  hardest  to 
quantify  because  the  hardware  and  soft¬ 
ware  can’t  be  attributed  specifically  to  net¬ 
work  access  control  functions. 

With  so  many  choices  and  vendors  in 
the  market,  some  users  say  prices  will  even¬ 
tually  come  down. 


security  problem.  If  your  Internet-facing  e- 
commerce  server  gets  a  virus,  the  first  thing 
they  do  is  nothing,”  Langston  explains. 
Shutting  down  the  system  could  mean  mil¬ 
lions  of  dollars  in  losses.  “If  it’s  a  regular 
virus,  they’ll  let  it  go  until  they  can  figure 
out  what  to  do.” 

What’s  more,  even  HIPAA  and 
Sarbanes-Oxley  requirements  for  data  pri- 


support.  The  number  varies  from  2,000  to 
4,000  users  per  box.  “That  makes  scalabil¬ 
ity  something  that  you  should  consider,” 
he  says.  Also,  in-line  devices  represent 
single  point  of  failure.  “So  definitely  use 
redundant  boxes,  but  that  increases  the 
cost.”  An  out-of-band  device  eliminates 
that  problem. 

Players  in  the  NAC  appliance  market 


A  full  NAC  cycle  solution  includes  pre-admission 
inspection  ana  post-admission  monitoring,  a  policy  decision 
ana  enforcement  point,  and  a  method  of  quarantine 
and  remediation  for  noncompliant  machines. 


“Within  five  years  time,  products  like 
these  will  be  commoditized  to  the  point 
where  it  will  be  extremely  affordable,”  pre¬ 
dicts  Jorge  Mercado,  principle  architect  at 
MedicAlert.  Right  now,  “these  [solutions] 
are  typically  for  larger  companies.  The  ven¬ 
dors’  pricing  model  is  such  that  whoever 
visits  your  site  and  requires  authentication 
has  to  be  a  direct  source  of  revenue.  That’s 
not  necessarily  the  case  [for  smaller  com¬ 
panies],  so  I  think  that  with  time,  nonprofit 
organizations  such  as  MedicAlert  will  be 
able  to  afford  to  secure  their  websites  and 
not  have  to  worry  about  paying  a  whole  lot 
of  money  for  a  solution.” 

3.  The  status  quo.  Then  there  are 
political  and  operational  concerns.  IT 
departments  fear  that  by  keeping  employ¬ 
ees  off  the  network  due  to  a  missed  patch 
or  out-of-date  antivirus  software,  they’re 
keeping  staff  from  doing  their  jobs.  “That’s 
why  we  see  a  lot  of  monitoring  instead  of 
enforcement  in  the  early  stages  of  NAC. 
Some  products  allow  system  managers  to 
simply  fix  the  problem  once  it  occurs  in  the 
network  without  quarantining  a  particular 
PC  culprit. 

“Another  concern  is,  what  if  I  keep  the 
wrong-level  person  off  the  network?  A 
C-level  executive?  That’s  potentially  dam¬ 
aging,”  Orans  says,  “and  it  has  been  an 
obstacle  to  NAC  adoption.” 

In  the  insurance  company’s  case,  deci¬ 
sion  makers  wanted  to  make  sure  that 
the  flow  of  value  continued  despite  the 
known  virus  threat,  so  they  continued  to 
monitor  and  fix  the  viruses  rather  than  to 
shut  down  the  network.  “It’s  just  like  any 


vacy  don’t  specifically  require  NAC  solu¬ 
tions.  “We  don’t  have  to  be  covered  if  you  go 
by  the  regulations,”  Fisher  explains  regard¬ 
ing  MedicAlert’s  privacy  responsibilities. 
“But  we  do  act  as  though  we  were  [required]. 
More  importantly,  California  has  a  statute 
that  requires  us  to  be  covered.  It’s  not  a 
requirement  to  use  a  product  like  this,”  but 
it  does  provide  the  functionality  that  they 
need  to  comply. 

What  Type  of  Product  Fits  Your 
Company? 

With  so  many  choices,  research  analyst 
Chris  Rodriguez  at  global  growth  consult¬ 
ing  firm  Frost  &  Sullivan  offers  his  advice 
for  choosing  NAC  solutions  according  to 
company  size  and  type  of  business. 

Organizations  that  require  the  highest 
levels  of  security  should  investigate  archi¬ 
tecture  options,  Rodriguez  says.  “It  provides 
comprehensive  end-to-end  security,”  he  says. 
It  also  allows  flexibility  in  deployment.  It  can 
be  rolled  out  in  pieces  according  to  budget, 
time,  testing  requirements  and  geographic 
constraints.  The  solution  also  scales  easily. 
“They  scale  in  direct  relationship  to  the  size 
of  the  network”  because  it’s  part  of  the  net¬ 
work  infrastructure,  he  adds. 

Market  share-leading  vendors  in  the 
infrastructure  space  include  Juniper  Net¬ 
works,  HP  and  Cisco. 

Appliances  have  a  good  pricing  advan¬ 
tage  over  infrastructure  solutions,  espe¬ 
cially  for  smaller  organizations.  A  single 
point  device  makes  it  easy  to  implement 
and  maintain,  Rodriguez  says.  But  there 
are  limits  to  how  many  users  the  device  can 


include  Mirage  Networks,  ForeScout,  Tip- 
pingPoint,  and  Nevis. 

Endpoint  agents  or  software  are  appro¬ 
priate  for  all  company  types.  Leading 
vendors  include  Symantec,  McAfee,  and 
London-based  Sophos. 

“You  really  need  two  products,”  White- 
ley  says.  Deploy  a  software  agent  on  all  com¬ 
pany  machines,  and  deploy  an  appliance  to 
handle  pre-  and  post-admission  activities 
to  patrol  all  guest  machines,  he  adds.  Most 
importantly,  the  two  products  need  to  com¬ 
municate  with  each  other— which  isn’t  hard 
to  do. 

Major  vendors  have  pledged  to  work 
with  standards  groups  like  Microsoft’s  Net¬ 
work  Access  Protection  and  the  Trusted 
Network  Connect  specification  set  up  by 
Trusted  Network  Connect  organization  for 
interoperability.  (In  May  2007,  Microsoft 
and  TNC  agreed  to  make  their  frameworks 
interoperable.) 

Deploying  NAC  security  points  on  both 
ends  of  the  network  spectrum  will  improve 
the  chances  of  having  a  safe  network. 

“If  you’re  investing  in  patch  configuration 
management  or  other  security  tools,  they’re 
only  as  good  as  they  are  widely  deployed 
and  correctly  configured,”  Langston  adds. 
“Users  have  suspicions  about  whether  that’s 
why  their  laptops  are  slow,  and  they  may 
disable  these  products  from  time  to  time. 
With  NAC  you  can  ensure  that  these  things 
don’t  happen  and  that  you’re  covered.”  ■ 


Stacy  Collett  is  a  freelance  writer  based  in  Chi¬ 
cago.  Send  feedback  to  Editor  Derek  Slater  at 
dslater@cxo.com. 
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GE’s  director  of  incident  response  says  the 
discipline  has  come  a  long  way— but  with  threats 
changing  rapidly ,  an  efficient  detection  and 
response  program  is  more  critical  than  ever 


By  Richard  Bejtiich 

2008  is  a  special  year  for  the  digital 

security  community.  Twenty  years  have 
passed  since  the  Morris  Worm  brought 
computer  security  to  the  attention  of  the 
wider  public,  followed  by  the  formation  of 
the  Computer  Emergency  Response  Team/ 
Coordination  Center  (CERT/CC).  Ten  years 
have  passed  since  members  of  the  Lopht 
Heavy  Industries  told  Congress  they  could 
disable  the  Internet  in  30  minutes.  Five 
years  have  passed  since  the  SQL  Slammer 
worm,  which  was  the  high  point  of  auto¬ 


mated,  mindless  malware.  The  Internet— 
and  digital  security— has  certainly  changed 
during  this  period. 

The  only  constant,  however,  is  exploita¬ 
tion.  For  the  past  20  years  intruders  have 
made  unauthorized  access  to  corporate,  edu¬ 
cation,  government  and  military  systems  a 
routine  occurrence.  During  the  past  10  years 
structured  threats  have  shifted  their  focus 
from  targets  of  opportunity  (any  exposed  or 
vulnerable  asset  or  both)  to  targets  of  inter¬ 
est  (specific  high-value  assets).  The  last  five 
years  have  shown  that  no  one  is  safe,  with 
attackers  exploiting  client-side  vulnerabili¬ 


ties  to  construct  massive  botnets  while  pil¬ 
laging  servers  via  business  logic  flaws. 

Despite  the  security  community’s  20 
years  of  practical  experience  trying  to 
prevent  compromise,  intruders  continue 
to  exploit  enterprises  at  will.  While  they 
may  not  be  successful  attacking  any  spe¬ 
cific  asset  (unless  inordinate  resources  are 
applied),  in  aggregate  intruders  will  always 
find  at  least  one  viable  avenue  for  exploita¬ 
tion.  The  maxim  “Prevention  eventually 
fails”  holds  for  any  enterprise  of  sufficient 
size,  complexity  and  asset  value  to  attract 
an  intruder’s  attention.  The  threshold  has 
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fallen  to  the  point  where  a  single  home  PC 
is  now  considered  “worthy”  of  the  same 
sorts  of  attacks  levied  against  multibillion- 
dollar  conglomerates. 

In  a  world  where  the  adversary  even¬ 
tually  breaches  some  aspect  of  a  target’s 
protective  measures,  what’s  an  enterprise 
security  manager  to  do?  The  answer  is  sim¬ 
ple:  l)  Detect  compromise  as  efficiently  as 
possible;  2)  respond  as  quickly  as  possible; 
and  3)  investigate  using  digital  forensics 
as  effectively  as  possible.  This  article  will 
provide  several  ways  to  think  about  this 
issue  and  implement  detection,  response, 
and  forensics  capabilities  to  support  your 
enterprise. 

Incident  Detection 

INCIDENT  DETECTION  HAS  suffered 
from  a  variety  of  misconceptions  and  mis- 
communications  during  its  history.  One  of 
these  has  been  the  narrow  way  in  which 
most  operators  view  the  detection  process. 
I  recommend  thinking  of  incident  detection 
in  terms  of  three  “orders.” 

First-order  detection  is  the  tradi¬ 
tional  way  to  apply  methods  to  identify 
intrusions.  It  concentrates  on  discovering 
attacks  during  the  reconnaissance  (if  any) 
and  exploitation  phases  of  compromise. 
Reconnaissance  is  the  process  by  which  an 
intruder  learns  enough  about  the  target  to 
effect  intrusion.  Exploitation  is  the  process 


build  a  more  stable  platform  for  repeated 
reentry.  Downloading  and  installing  a 
remote-access  Trojan  program  is  a  classic 
reinforcement  activity.  Consolidation  is 
the  act  of  controlling  a  compromised  asset 
using  the  means  installed  during  reinforce¬ 
ment.  Pillage  is  the  execution  of  the  intrud¬ 
er’s  ultimate  plan,  which  could  be  pivoting 
on  the  target  to  attack  another  system,  exfil- 
trating  sensitive  information,  or  any  other 
nefarious  plan.  Second-order  detection 
focuses  on  identifying  any  of  these  three 
phases  of  compromise,  which  can  be  highly 
variable  and  can  operate  at  the  discretion  of 
the  intruder. 

Third-order  detection  occurs  outside 
the  realm  of  the  five  phases  of  compromise 
by  concentrating  on  post-pillage  activities. 
Whereas  first-  and  second-order  detec¬ 
tion  is  done  at  the  enterprise,  by  watching 
hosts,  network  traffic,  logs  or  possibly  even 
sensitive  data,  third-order  detection  takes 
place  outside  the  enterprise.  Third-order 
detection  seeks  to  discover  indications 
that  preventive  and  detection  mechanisms 
have  failed  by  finding  the  consequences 
of  an  intrusion.  Looking  for  these  sorts  of 
signs  could  take  the  form  of  searching  for, 
and  finding,  private  company  documents 
on  peer-to-peer  networks,  or  intruder- 
operated  botnet  servers,  or  a  competitor’s 
release  of  a  product  uncannily  similar  to 
your  company’s  own.  Each  of  these  events 


Level  o.  No  primary  detection  method 
exists.  No  formal  data  sources  are  used. 
No  actions  are  taken,  since  this  “blissful 
ignorance”  hides  the  fact  that  the  enter¬ 
prise  could  be  (and  probably  is)  severely 
compromised. 

Level  1.  Customers,  peer  organizations 
and  users  are  the  primary  detection  meth¬ 
ods.  No  data  sources  beyond  those  provided 
by  the  aforementioned  parties  are  available. 
The  predominant  reaction  is  to  form  an  ad 
hoc  team  to  fight  fires  on  a  repeated  basis. 

Level  2.  Customers,  peer  organizations 
and  users  are  still  the  primary  detection 
methods.  However,  the  organization  has 
some  data  store  from  which  to  draw  con¬ 
clusions— once  the  enterprise  knows  it 
must  look  for  clues.  Reaction  involves  more 
firefighting,  but  the  officers  aren’t  quite  as 
blind  as  they  were  at  level  1,  thanks  to  the 
availability  of  some  logs. 

Level  3.  The  Computer  Incident 
Response  Team  (CIRT)  is  discovering  inci¬ 
dents  in  concert  with  the  parties  listed  at 
levels  1  and  2.  Additional  data  sources  aug¬ 
ment  those  aggregated  at  level  2.  The  CIRT 
develops  some  degree  of  formal  capability 
to  detect  and  respond  to  intrusions. 

Level  4.  The  CIRT  is  the  primary 
means  for  detecting  incidents.  All  or  nearly 
all  the  data  sources  one  could  hope  to  use 
for  detection,  response  and  forensics  are 
available.  The  CIRT  exercises  regularly 


Third'Ot  riet  detection  s  a  powerful 
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of  abusing,  subverting  or  breaching  a  tar¬ 
get,  thereby  imposing  the  intruder’s  will  on 
the  asset.  Almost  all  security  products  that 
seek  to  detect  and  “prevent”  attacks  moni¬ 
tor  activity  during  these  stages  of  the  com¬ 
promise  lifecycle. 

Second-order  detection  moves  beyond 
reconnaissance  and  exploitation  to  the  final 
three  stages  of  compromise:  reinforcement, 
consolidation  and  pillage.  Reinforcement  is 
the  process  by  which  an  intruder  leverages 
the  unauthorized  access  gained  in  order  to 


indicates  that  a  breach  or  policy  violation 
occurred,  yet  none  may  have  been  detected 
by  conventional  means.  Third-order  detec¬ 
tion  is  a  powerful  way  to  determine  whether 
the  formal  detection  mechanisms  operated 
by  an  organization’s  security  team  make 
any  difference  in  the  real  world. 

A  complementary  way  to  think  about 
detection  takes  the  form  of  six  maturity 
levels.  Using  the  ideas  below,  you  can  deter¬ 
mine  how  advanced  your  detection  initia¬ 
tive  may  be. 


and  maintains  dedicated  personnel,  tools 
and  resources  for  its  mission. 

Level  5.  The  CIRT  is  so  advanced  in  its 
mission  that  it  helps  prevent  incidents  by 
identifying  trends  in  the  adversary  com¬ 
munity.  The  CIRT  recommends  defensive 
measures  before  the  enterprise  widely 
encounters  the  latest  attacks.  The  CIRT 
operates  a  dedicated  security  intelligence 
operation  to  stay  in  tandem  with  or  even 
ahead  of  many  threat  agents. 

Incident  detection  naturally  leads  to 
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incident  response,  where  actions  are  taken 
to  contain,  eradicate  and  recover  from 
intrusions. 

Incident  Response 
and  Forensics 

TWENTY  YEARS  AGO  incident  respond¬ 
ers  were  taught  to  locate  a  potentially  com¬ 
promised  computer  and  literally,  physically, 
“pull  the  plug.”  The  idea  was  to  eliminate 
the  possibility  that  an  intruder  occupying 
a  compromised  system  could  notice  a  nor¬ 
mal  shutdown  and  implement  techniques 
to  evade  detection.  Incident  responders  also 
worried  that  intruders  might  have  planted 
rogue  code  that  started  cleanup  routines 
upon  initiation  of  a  shutdown  command. 

Following  the  abrupt  removal  of  the 
power  cord,  incident  responders  would 
duplicate  the  hard  drive  (usually  40MB— if 
it  had  a  hard  drive  at  all  in  1988!)  and  scru¬ 
tinize  the  duplicate  for  evidence  of  malfea¬ 
sance.  Despite  the  small  hard  drive  size, 
this  process  took  time,  physical  locality  (to 
acquire  the  hard  drive)  and  expertise. 

In  2008,  and  really  for  the  last  decade, 
the  situation  has  been  vastly  different.  Pull¬ 
ing  the  plug  has  been  a  discredited  strategy 
for  years.  The  major  problem  with  abruptly 
removing  power  is  the  removal  (heroic 
freezing  efforts  to  the  contrary)  of  volatile 
evidence  from  system  RAM.  System  RAM 
is  the  place  where  computers  store  much 


reinforcement  stage),  sometimes  a  simple 
reboot  is  enough  to  remove  him  (at  least 
temporarily).  If  the  original  vulnerability 
persists,  reexploitation  may  quickly  follow. 
For  a  certain  category  of  stealth-minded 
intruders,  reliance  on  reexploitation  is  the 
preferred  means  to  maintain  a  low-profile 
network  presence. 

The  question  of  who  pulls  the  plug,  and 
when  it  could  happen,  is  also  paramount  in 
2008.  Most  important  systems  run  in  data 
centers  built  for  uptime  and  redundancy. 
Pulling  the  plug  isn’t  a  normal  operation, 
and  even  getting  to  the  server  in  question 
can  be  an  adventure.  Furthermore,  few 
asset  owners  would  consent  to  having  their 
money-making  systems  abruptly  removed 
from  operation.  Some  managers  are  will¬ 
ing  to  tolerate  compromise  because  losing 
a  production  host  is  considered  the  greater 
risk  (never  mind  that  hacker— we  need  to 
make  money!). 

Given  these  realities,  incident  response 
in  2008  is  now  a  different  animal.  Often  a 
system  suspected  of  being  compromised 
is  on  another  continent,  in  the  hands  of  a 
user  who  may  not  even  speak  the  same  lan¬ 
guage  as  the  security  team.  Hard  drives  are 
routinely  80GB  to  160GB  on  laptops  and 
more  than  500GB  on  servers,  with  storage 
area  networks  and  related  systems  eas¬ 
ily  exceeding  any  investigator’s  ability  to 
duplicate.  With  such  huge  volumes  of  data 


an  agent  or  executable  to  a  remote  system, 
capture  or  parse  memory,  and  communi¬ 
cate  the  results  to  a  central  location.  There 
an  expert  human  or,  in  some  cases,  a  series 
of  programs,  reviews  the  evidence  for  signs 
of  malware  or  unusual  activity. 

In  addition  to  remote  retrieval  and 
analysis  of  memory,  incident  responders 
and  forensic  investigators  are  trying  to 
avoid  duplicating  the  entire  hard  drive  of 
target  computers.  Increasingly  it  is  just  not 
technically  possible  or  cost-effective  to  do 
so.  Judges,  agents  and  investigators  who 
were  taught  that  only  a  bit-for-bit  copy  was 
a  forensically  sound  copy  will  have  to  wake 
up  to  the  expansive  nature  of  today’s  digital 
environment.  Why  copy  a  2-terabyte  RAID 
array  on  a  server  if  cursory  analysis  reveals 
that  a  small  set  of  files  provides  all  the  neces¬ 
sary  evidence  to  make  a  sound  case?  Expect 
greater  use  of  “remote  previews”  during 
incident  response  and  select  retrieval  of 
important  files  for  forensic  analysis. 

In  addition  to  focusing  on  just  the  mate¬ 
rial  that  matters,  modem  incident  response 
and  forensic  processes  are  more  rapid  and 
effective  than  historical  methods.  When 
hard  drives  were  40MB  in  size,  it  was  fea¬ 
sible  for  a  moderately  skilled  investigator 
to  fairly  thoroughly  examine  all  the  rel¬ 
evant  data  for  signs  of  wrongdoing.  With 
today’s  volume  of  malicious  activity,  hard 
drive  size  and  efforts  to  evade  investigators 
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of  the  data  that  incident  responders  care 
about,  like  running  processes,  active  net¬ 
work  connections  and  so  on.  Most  of  that 
sort  of  high-value  information  is  not  stored 
on  the  hard  drive,  so  it  perishes  when  power 
disappears. 

For  example,  do  you  remember  the 
Slammer  worm  mentioned  previously? 
Slammer  was  completely  memory-resi¬ 
dent.  Remove  the  power  and  Slammer 
disappears.  Unless  an  intruder  takes  steps 
to  entrench  himself  on  a  system  (in  the 


to  analyze,  it  makes  more  sense  to  concen¬ 
trate  on  the  4GB  of  virtual  memory  present 
on  32-bit  systems. 

Incident  responders  are  increasingly 
relying  on  live  response,  or  the  collection 
and  analysis  of  system  RAM  for  indica¬ 
tors  of  compromise.  Live-response  activi¬ 
ties  have  been  used  for  the  last  eight  to  10 
years  by  professional  investigators  in  high- 
end  cases,  but  modem  realities  are  forcing 
most  security  pros  to  add  the  techniques  to 
their  repertoire.  Current  tools  usually  push 


(counter-  and  antiforensics,  for  example), 
live  response  with  selective  retrieval  and 
review  is  a  powerful  technique.  ■ 


Richard  Bejtlich  is  Director  of Incident  Response 
for  General  Electric  and  author  of the  TaoSecu- 
rity  Blog  ('taosecurity.blogspot.com).  Bejtlich 
began  his  digital  security  career  as  a  military 
intelligence  officer  at  the  Air  Force  Computer 
Emergency  Response  Team  (AFCERT),  Air 
Force  Information  Warfare  Center  (AFIWC), 
and  Air  Intelligence  Agency  (AIA). 
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CALL  CENTERS 


For  many  companies,  call  centers 
are  where  the  real  business  actually 
gets  done.  So  they  require  CSOs 
to  strike  a  balance  of  physical 
and  digital  security  measures 
for  employees  and  customers 
alike.  By  Malcolm  Wheatley 

Pratibha  Srikanth  Murthy,  24, 

was  raped  and  murdered  on  her  way  to 
work  at  a  Bangalore  call  center  in  the  early 
hours  of  December  13,  2005.  But  the  court 
proceedings  that  gripped  India  in  Febru¬ 
ary  this  year  weren’t  the  trial  of  her  alleged 
assailant,  cab  driver  Shiv  Kumar.  Instead, 
the  case  focused  on  her  ultimate  superior 
at  work,  Som  Mittal— the  managing  direc¬ 
tor  of  call  center  operator  Hewlett-Packard 
GlobalSoft  in  2005,  when  Srikanth  Murthy 
was  killed. 

Now  the  president  of  India’s  National 


Association  of  Software  and  Services  Com¬ 
panies  (Nasscom),  the  main  industry  body 
for  the  country’s  vast  outsourcing  and  call 
center  industry,  Mittal  has  been  charged 
under  Indian  laws  that  require  certain  busi¬ 
nesses  to  provide  safe  transport  for  female 
employees  traveling  to  and  from  the  office 
at  night.  Ironically,  Nasscom  itself  helped 
to  draw  up  guidelines  for  such  transport, 
which  include  requirements  for  guards  to 
accompany  drivers  in  company  taxis,  and 
that  female  employees  should  not  be  the 
first  to  be  picked  up  or  the  last  dropped  off. 

And  with  India’s  Supreme  Court  reject¬ 
ing  in  February  a  challenge  to  the  case 
being  brought,  the  stage  is  now  set  for  Mit¬ 
tal— and  by  implication,  Hewlett-Packard 
GlobalSoft— to  face  trial.  If  found  guilty,  he 
would  face  a  fine  of  1,000  rupees  (around 
$25)  and  would  get  a  criminal  record. 

Thankfully,  fatal  attacks  such  as  that 
on  Srikanth  Murthy  are  relatively  rare.  But 
almost  three  years  after  the  murder,  the 
name  of  Hewlett-Packard  GlobalSoft  is 
still  being  associated  with  the  case— and 
that  association  looks  like  it  will  continue 
for  some  years.  With  call  centers  already 
the  focus  of  security  concerns  around  keep¬ 
ing  data  safe,  the  Srikanth  Murthy  case  is 
a  salutatory  reminder  that  it’s  also  impor¬ 
tant  to  keep  safe  the  people  who  work  with 
that  data. 

“The  reputational  risk  is  enormous,” 
says  Patrick  Chagnon,  manager  of  corpo¬ 
rate  intelligence  and  investigation  at  Shel- 
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ton,  Conn. -headquartered  security  consul¬ 
tancy  SSC.  “Having  employees  attacked  or 
robbed  at  gunpoint  isn’t  good:  People  worry 
that  if  you  can’t  protect  yourselves,  how  can 
you  protect  others— and  their  data?” 

The  trouble  is,  as  regular  news  reports 
highlight,  there’s  not  only  ample  evidence 
that  call  center  operators  are  indeed  fail¬ 
ing  to  keep  safe  the  data  that  they  should 
be  protecting,  but  also  that  their  employees 
run  a  higher-than-average  risk  of  attack. 

“Attacks  do  happen,  and  happen  all  too 
frequently,”  says  David  Brown,  managing 
consultant  for  security  advisory  services 
at  Skokie,  Illinois-based  consultancy  For¬ 
sythe  Solutions  Group.  “It’s  like  ATMs  late 
at  night,  or  mall  parking  lots— call  center 
employees  are  vulnerable  because  call 
centers  are  frequently  24-hour  operations, 
and  often  located  in  industrial  or  sparsely 
populated  office  park  areas.” 

What’s  more,  adds  John  Beale,  manag¬ 
ing  director  of  London,  U.K. -based  Secu¬ 
rity  Alliance,  a  consortium  of  specialist 
information  security  vendors,  the  physical 
security  measures— and  security  person¬ 
nel— that  are  in  place  at  call  centers  are  usu¬ 
ally  focused  on  another  mission  altogether: 
making  sure  employees  are  carrying  in  or 
out  data  storage  media.  “It’s  not  so 
much  about  protecting  the  employ¬ 
ees— it’s  more  about  protecting  the 
data,”  he  says. 

Talk  to  experts,  in  fact,  and  a 
depressing  list  of  call  center  security 
vulnerabilities  emerges— poorly 
protected  people,  poorly  protected 
data  and  poorly  protected  systems. 

“When  companies  undertake 
penetration  testing  and  audits  of 
their  call  center’s  operations,  one 
of  the  things  that  stands  out  is  the 
sheer  number  of  people  who  are 
no  longer  employed  by  the  orga¬ 
nization,  but  who  still  have  access 
rights  to  its  computer  networks  and 
systems,”  says  Winn  Schwartau, 
founder  of  security  awareness  cer¬ 
tification  company  SCIPP  Interna¬ 
tional,  and  an  information  security 
expert  who  has  testified  before 
Congress.  “Discovering  that  some¬ 
one  who  left  two  to  three  years  ago 
still  has  access  rights  is  the  norm— 
it’s  not  even  a  horror  story.” 

And  according  to  experts  like 


Schwartau,  in  many  organizations  three 
distinct  aspects  of  call  center  security  are  in 
urgent  need  of  review,  and— if  necessary- 
repair.  These  are:  revocation  of  building 
and/or  network  access  in  a  timely  manner 
for  people  no  longer  employed  by  the  orga¬ 
nization;  better  control  of  call  center  agents’ 
access  to  customer  financial  data  such 
as  credit  card  and  bank  account  details; 
and— of  course— the  physical  security  and 
protection  of  those  agents. 

Access  Denied 

TAKE  ACCESS  RIGHT  revocation,  for 
instance.  It’s  not  that  companies  don’t 
recognize  the  need  to  revoke  access,  says 
Schwartau— it’s  that  they  tend  to  lack  the 
means  to  make  it  happen  as  consistently  as  it 
should.  “It  may  well  be  the  human  resource 
function’s  policy  to  revoke  access— but 
human  resources  doesn’t  control  the  net¬ 
work,”  he  says.  “The  result  is  that  human 
resources  has  a  checklist,  but  not  the  means 
to  enforce  it.” 

The  answer,  says  Forsythe  Solutions 
Group’s  Brown,  is  to  replace  lax  enforce¬ 
ment  with  a  process  “that  is  extremely  well- 
defined,  and  which  takes  into  account  the 
various  scenarios  that  may  come  to  pass. 


Risk  Assessment 
Reminders 

Here  are  sample  questions  to  help  deter¬ 
mine  appropriate  protective  measures  for 
a  call  center.  In  some  cases  the  company 
may  decide  that  a  particular  issue  is 
outside  its  scope  of  responsibility-but  clearly 
security  can  play  a  role  in  keeping  a  safe,  efficient 
and  trusted  workforce  in  place. 

■  What  data  will  call  center  agents  need  to 
access?  Are  full-fledged  PCs  necessary  for 
these  tasks,  or  are  terminals  sufficient?  What 
other  policies  and  technical  controls  are 
required  to  prevent  removal  or  copying  of 
this  data? 

■  Are  sensitive  physical  documents  (possibly 
including  operational  procedures)  appropri¬ 
ately  secured  and  labeled? 

■  Does  the  facility  have  an  adequate  physical 
access  control  system? 


When  someone  retires,  it’s  a  very  different 
set  of  circumstances  from  someone  being 
dismissed  with  due  cause.” 

And  in  the  case  of  such  “due  cause” 
dismissal,  he  adds— especially  when  the 
due  cause  includes  data  manipulation  or 
data  theft— the  procedures  to  be  followed 
should  include  having  physical  security 
personnel  in  attendance  (to  prevent  system 
access  and  to  escort  off  premises),  as  well 
as  legal  personnel,  law  enforcement  liaison, 
press  relations  and  potentially  even  crisis 
management,  depending  on  the  likely  scale 
of  the  illicit  activity  uncovered.“It’s  impor¬ 
tant  to  have  those  procedures  well  defined,” 
stresses  Brown.  “Not  because  you  might 
need  to  invoke  them,  but  because  you  will 
need  to  invoke  them.  These  things  happen, 
and  are  happening  more  frequently.  There’s 
an  emerging  sense  of  value  in  terms  of  the 
data  that  call  centers  hold— and  the  greater 
that  sense  of  value,  the  greater  the  risk.” 

Greater  risk  also  manifests  itself  in  orga¬ 
nizations  using  single  sign-on  system  log¬ 
in,  adds  SCIPP  International’s  Schwartau. 
While  offering  productivity  gains,  single 
sign-on  increases  the  risk  of  data  loss  (or 
damage)  in  the  case  of  password  theft  or 
misuse.  “With  single  sign-on,  one  pass- 


■  Is  the  physical  environment  of  the  call  center 
(parking  lot  or  garage,  incoming  roads  and 
neighborhood)  safe  for  employees  at  all 
hours  of  operation?  Are  additional  lighting, 
fencing,  call  boxes,  surveillance  or  security 
personnel  required? 

■  Do  all  employees  have  appropriate  means  of 
safe  transportation  to  and  from  work? 

■  What  other  businesses  operate  in  the  area 
and  at  what  hours?  In  what  ways  (positive 
or  negative)  could  these  businesses  affect 
security  issues? 

■  Are  employees  trained  in  how  to  handle 
incidents  (including  intrusions,  threats  and 
medical  emergencies)? 

■  Does  the  sensitivity  of  call  center  information 
necessitate  background  checks  on  new  or 
existing  employees?  Does  the  organization 
have  the  necessary  policy  and  capability  for 
such  investigations? 

■  Do  the  center’s  security  controls  meet  all 
applicable  regulatory  requirements? 

Source:  CSO  reporting 
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word  provides  access  to  multiple  systems,” 
he  observes.  “When  an  individual  leaves 
the  employment  of  an  organization  using 
single  sign-on,  it’s  vitally  important  that 
revocation  takes  place— and  when  that 
individual  has  been  terminated,  takes 
place  instantly.” 

Safe  and  Secure 

WHEN  IT  COMES  to  keeping  financial 
data  safe  and  secure,  the  reputational  cost 
of  information  theft  and  misuse  is  immense. 
So  it  pays  to  get  the  basics  right— starting 
with  hiring  checks.  “Typically,  employers 
do  a  surface  scan— that  often  isn’t  thorough 
enough— and  then  don’t  follow  through,” 
says  Greg  Boles,  Irvine,  Calif. -based  direc¬ 
tor  and  leader  of  threat  management  and 
security  services  for  risk  management  advi¬ 
sory  firm  Aon  Consulting. 

“What  they  should  do  is  a  very  thor¬ 
ough  background  check,  and  then  make  it 
a  condition  of  employment  that  continual 
background  checks  and  drug  testing  take 
place.  If  there’s  financial  stress,  or  domes¬ 
tic  violence,  or  the  breaking  of  restraining 
orders,  or  drug  dependency— then  there’s  a 
risk  that  individuals  might  be  motivated  to 
abuse  their  position.” 

And  if  individuals  are  motivated  to  steal 
information,  the  next  line  of  defense  is  to 
make  data  theft  as  difficult  as  possible.  To 
start,  says  Boles,  it’s  important  to  restrict 
the  devices  that  are  allowed  into  call  cen¬ 
ters— essentially  banning  anything  that 
can  load  data  digitally,  such  as  CD-ROMs, 
USB  thumb  drives  and  floppy  disks.  It’s 
important,  too,  he  adds,  to  also  restrict  less 
obvious  ways  of  skimming  off  confidential 
information,  such  as  cameras— and  cell 
phones  containing  cameras— which  can  be 
used  to  take  screen-shots. 

As  well  as  posing  a  risk,  technology  can 
also  help  mitigate  that  risk.  Thin  clients  and 
virtual  machines,  for  instance,  allow  call 
center  operators  to  impose  far  more  con¬ 
trol  over  what  agents’  desktops  can— and 
more  importantly,  can’t— do.  So  can  soft¬ 
ware  solutions  which  prohibit  download¬ 
ing  by  individuals  without  the  appropriate 
permissions. 

But  these  are  backstops,  stresses  How¬ 
ard  Schmidt,  a  former  CISO  for  Microsoft 
and  eBay,  who  these  days  serves  on  the 
board  of  (ISC)2.  “The  basics  have  to  come 
first,”  he  says.  Included  in  Schmidt’s  com¬ 


pendium  of  “basics”— in  addition  to  con¬ 
trols  such  as  employee  screening,  device 
prohibition  and  so  on— is  data  “redaction”: 
only  displaying  on  agents’  screens  parts  of 
data  fields  such  as  credit  card  numbers  and 
dates  of  birth,  never  the  whole  number  or 
date.  “Agents  rarely  need  such  information, 
so  it  makes  sense  to  limit  access  to  it.  In 
most  situations,  the  last  four  digits  of  a  card 
number,  or  the  month  and  year  of  birth,  is 
all  that  is  required.” 

Indeed,  such  redaction  is  one  of  the 
recommendations  of  the  Payment  Card 
Industry’s  global  Data  Security  Standard, 
promulgated  by  member  firms  such  as 
Visa,  MasterCard  and  American  Express, 
precisely  in  order  to  make  the  theft  of  pay¬ 
ment  card  data  more  difficult.  The  forma¬ 
tion  of  the  industry’s  Security  Standards 
Council,  says  Bob  Russo,  its  general  man¬ 
ager,  reflected  the  recognition  by  the  mem¬ 
ber  firms  that  one  industrywide  digital  data 
security  standard  was  likely  to  be  stronger 
than  five  or  more  different  approaches. 

Published  in  December  2004  as  version 
1.0— and  updated  to  version  1.1  in  Septem¬ 
ber  2006— PCI  DSS  should  be  followed  by 
any  call  center  dealing  with  card  payments, 
says  Russo.  “Basically,  if  a  call  center  stores, 
processes  or  transmits  credit  card  data, 
then  they  are  in  scope  [of  the  requirement 
to  comply  with  the  standard],”  he  says. 
While  compliance  is  mandatory,  he  adds, 
only  so-called  “Level  1”  call  centers— those 
processing  more  than  6  million  card  trans¬ 
actions  per  year— actually  have  to  prove 
that  compliance  through  audits. 

Danger:  Parking  Lot 

AND  WHAT  OF  security  outside  the  call 
center— the  parking  lot,  for  instance?  Self 
help  is  important  here,  says  SSC’s  Chagnon. 
“Encourage  people  to  use  a  buddy  system  so 
people  aren’t  walking  out  to  their  cars  on 
their  own  at  2  a.m.,”  he  says.  “Get  them  to 
leave  the  building  together  and  try  to  park 
close  to  each  other.” 

But  employer  provision  counts,  too. 
“Open,  well-lit  parking  lots  with  good  vis¬ 
ibility  in  all  directions  is  a  good  idea— and 
ideally,  parking  lots  with  controlled  access,” 
he  adds.  “Our  recommendation  is  to  push 
security  out  to  the  parking  lot  perimeter.” 

Good  nighttime  lighting  is  crucial, 
agrees  Forsythe  Solutions  Group’s  Brown. 
“Monitoring  cameras  are  helpful,  too,  as 


are  panic  buttons  on  lamp  poles,”  he  says. 
“So  too  are  live  bodies  that  can  physically 
respond  if  a  button  is  pressed,  or  the  cam¬ 
era  sees  something  untoward.” 

Standard  Procedure 

WHETHER  IT’S  RELATING  to  safe  park¬ 
ing  lots  or  access  right  revocation,  recom¬ 
mendations  like  these  aren’t  new.  Many 
pertaining  to  information  protection  are 
found  in  security  standards  including  the 
aforementioned  PCI  DSS,  as  well  as  ISO 
27001  and  its  best-practice  counterpart  ISO 
27002.  What’s  lacking,  says  Gerhard  Knecht, 
director  and  CSO  of  Unisys,  is  monitoring 
and  compliance— not  a  basic  understand¬ 
ing  of  what  to  do. 

As  a  result,  all  of  the  call  centers  that 
Knecht  is  responsible  for— some  14,  rang¬ 
ing  from  Bogota  to  Budapest,  and  Sidney 
to  Sao  Paulo  and  Salt  Lake  City— are  certi¬ 
fied  to  ISO  27001.  “But  this  just  specifies  a 
minimum  standard,”  he  stresses.  “In  prac¬ 
tice,  we’re  aiming  for  something  higher.” 
Accordingly,  each  center  must  complete 
a  quarterly  maturity  profile  audit  cover¬ 
ing  91  separate  questions,  each  with  four 
“response  scenarios”— with  each  response 
scenario  equating  to  a  given  maturity  level. 

In  terms  of  access  rights  revocation, 
for  instance,  the  maturity  profile  requires 
call  centers  to  revoke  access  not  just  when 
someone  has  left  the  organization,  but  when 
they  have  moved  departments.  “Eighty-six 
of  the  questions  come  from  ISO  27002;  five 
come  from  the  requirements  of  Sarbanes- 
Oxley,”  says  Knecht.  “For  each  question, 
each  call  center  has  to  specify  which  level 
of  security  maturity  applies— based  on  the 
response  scenarios— and  then  justify  that 
assessment.” 

What’s  interesting,  he  notes,  is  that  so 
few  Unisys  customers  proactively  ask  the 
same  questions.  Even  so,  he  says,  “I  send 
our  clients  the  maturity  metrics  on  a  regu¬ 
lar  basis  and  encourage  them  to  come  and 
audit  them.”  Such  apparent  indifference  is 
surprising,  he  adds:  Regulatory  regimes 
such  as  Sarbanes-Oxley  are  quite  dear- 
companies  can  outsource  an  activity,  but 
can’t  outsource  the  accountability  for  secu¬ 
rity  that  goes  with  that  activity.  ■ 


Malcolm  Wheatley  is  a  freelance  writer  based  in 
the  U.K.  Send  feedback  to  Editor  Derek  Slater 
at  dslater@cxo.com. 
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BY  MARY  BRANDEL 


“GROWING  UP  IN  a  computer  science  family  got  me 
exposed  to  some  of  the  greatest  minds  of  computer 
security  at  a  young  age.  When  I  was  little,  my  dad’s 
friend  was  Peter  Neumann,  one  of  the  world’s  great¬ 
est  security  engineers.  If  we  had  a  Nobel  Prize  for 
computer  security,  he  would  have  won  it  three  times. 
These  were  extremely  interesting  people  who  were 
knowledgeable  about  everything,  not  just  technology. 
They  told  the  most  interesting  anecdotes,  from  the 
worlds  of  both  art  and  science.  I  decided  early  on  to  be 
sort  of  like  that.  Similarly,  Cliff  Stoll  was  an  astrono¬ 
mer  before  getting  into  security,  and  a  lot  of  the  good 
computer  security  experts  are  from  different  disci¬ 
plines  so  they  take  a  different  view.  Richard  Feynman, 
a  physicist,  was  breaking  codes  during  the  Manhattan 
Project,  using  techniques  we  now  use  to  crack  pass- 
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words.  He  was  one  of  the  world’s  first  hackers.” 

Edward  Amoroso  serves  as  senior  vice  president  and 
chief  security  officer  for  AT&T  Services.  His  responsibilities 
include  real-time  protection  of  AT&T’s  vast  network  and  com¬ 
puting  infrastructure;  security  policy,  planning  and  architec¬ 
ture  for  AT&T’s  enterprise;  digital  rights  management  and 

security  support 
for  AT&T’s  IPTV 
and  entertain¬ 
ment  initiatives; 
and  lead  design, 
development  and 
operations  sup¬ 
port  for  AT&T’s 
managed  and  net¬ 
work-based  secu¬ 
rity  services. 

Amoroso’s 
22-year  career  at 
AT&T  began  at 
Bell  Laboratories. 
“I  was  following  my 


mom’s  advice  to  join  a  company  that  wouldn’t  change  much,” 
he  jokes.  Computer  science  runs  in  the  family— not  only  are 
his  brother  and  sister  also  in  the  field,  but  his  father  was  one  of 
the  first  people  in  the  world  to  receive  a  master’s  degree  and  a 
PhD  in  computer  science,  at  University  of  Pennsylvania. 

While  at  AT&T,  he  began  by  working  on  securing  the  Unix 
operating  system,  as  well  as  on  numerous  federal  government 
security  initiatives.  More  recently,  he  has  championed  AT&T’s 
network-based  security  strategy,  centered  around  emerging 
in-the-cloud  protection  services  such  as  Internet  Protect  and 
DDoS  Defense. 

Amoroso  has  authored  research  papers  and  four  books 
on  information  security,  including  Cyber  Security,  which 
is  written  for  mainstream  readers.  He  holds  MS  and  PhD 
degrees  in  computer  science  from  the  Stevens  Institute  of 
Technology  and  is  a  graduate  of  the  Senior  Executive  Program 
at  the  Columbia  Business  School.  He  has  served  as  an  adjunct 
professor  in  the  computer  science  department  at  Stevens  for 
the  past  18  years. 

Over  the  years,  he  says,  “it’s  been  an  interesting  evolution 
to  watch  security  grow  from  being  a  niche  player  to  something 
mainstream.” 
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Ron  Baklarz 

Director  of  Information 
Systems  Security,  MedStar 
Health  Information  Systems 


and  computer  forensics. 

Baklarz  holds  a  MS  degree  in  information  science  and  a 
Certificate  of  Advanced  Study  in  telecommunications,  both 
from  the  University  of  Pittsburgh,  and  is  currently  an  adjunct 
professor  at  the  University  of  Virginia.  He  writes  articles  and 
books,  including  The  Art  of  Information  Warfare. 


“THE  SINGLE  MOST  significant  factor  is  to  understand 
your  organization’s  culture.  For  example,  in  the  mili¬ 
tary  sector,  implementing  security  is  much  easier  since 
it  is  ingrained  in  the  culture.  When  you  try  the  same 

approach  in  pri¬ 
vate  sectors  such  as 
financial  industries 
or  health  care,  it  is  a 
much  more  difficult 
endeavor.  Imple¬ 
menting  security  at 
the  U.S.  House  of 
Representatives  was 
particularly  chal¬ 
lenging,  since  it  was 
equivalent  to  work¬ 
ing  with  435  CEOs. 

“In  any  indus¬ 
try,  my  approach  to 
implementing  secu¬ 
rity  has  been  to: 

■  Keep  an  even  keel.  In  many  cases,  it  doesn’t  help  to 
get  too  emotional  especially  when  trying  to  implement 
security  programs  in  an  immature  environment.  Chang¬ 
ing  culture  takes  time. 

■  Be  consistent.  Users  will  constantly  test  you  and 
your  security  program,  so  it  is  important  to  apply  secu¬ 
rity  in  a  consistent  manner.  Consistency  sends  a  good, 
solid  security  message  rather  than  a  waffling  one. 

■  Educate  and  communicate.  Often,  users  may  not 
like  the  security  controls  you  are  implementing,  but  if 
they  are  aware  and  educated,  at  least  they  may  appreci¬ 
ate  and  understand  what  you  are  trying  to  accomplish.” 

In  his  20-plus  years  in  the  information  security 
field,  Ron  Baklarz  (CISSP,  CISA,  CISM,  IAM,  IEM) 
has  developed  information  security  programs  for 
the  Naval  Nuclear  Program,  the  U.S.  House  of  Rep¬ 
resentatives,  the  American  Red  Cross  and  MedStar 
Health,  where  he  is  currently  the  HIPAA  Security 
Officer.  He  has  also  led  incident- response  and  mon¬ 
itoring  teams  for  a  variety  of  industries,  including 
government,  insurance,  health  care  and  Big  Five 
consulting  firms. 

Baklarz’s  security  expertise  spans  policy  devel¬ 
opment,  incident  handling  and  response,  network 
intrusion  detection,  antivirus  and  network  perim¬ 
eter  protections,  cyber-related  fraud  investigations 


Renee  Guttmann 

VP  and  Information  Security  and 
Privacy  Officer,  Time  Warner 

“OVER  THE  COURSE  of  my  career  I  have  had  to  learn 
to  work  with  many  different  kinds  of  people,  including 
some  who  are  directly  confrontational.  I  was  fortunate 
that  the  company  helped  me  get  a  coach  who  recom¬ 
mended  the  book  Crucial  Conversations:  Tools  for  Talk¬ 
ing  When  Stakes  Are  High.  It  talks  about  working  toward 
a  common  outcome  and  showing  we  care  about  each 
other’s  goals. 

I  started  to  embrace  difficult  and  challenging  people. 
A  lot  of  times  they  have  great  ideas  but  don’t  know  how 
to  communicate  them.  Now,  I  seek  out  the  rock  throw¬ 
ers.  They’ve  often  saved  my  bacon.  I  learned  to  recognize 
that  they  aren’t  challenging  me;  they  are  challenging  my 
role.  It  isn’t  personal.  That  realization  helped  me  to  lis¬ 
ten  to  the  ideas  they  are  trying  to  get  across.  We’re  in  this 
together;  we  want  the  same  outcome.” 

Renee  Guttmann  is  vice  president  of  information  security 
and  privacy  officer  at  Time  Warner.  In  her  seven-plus  years 
at  Time  Warner,  she  has  worked  to  create  the  TW  Enterprise 
Information  Security  and  Privacy  policy;  define  an  enterprise 
privacy  framework  and  strategy  to  support  international  pri¬ 
vacy  regulations  and  transborder  data  flows;  and  create  an 
Enterprise  Information  Risk  Management  program. 

In  her  nearly  20  years  in  information  technology,  she  also 
worked  at  Glaxo  Wellcome  as  a  principal  information  security 
consultant,  at  Gartner  as  a  senior  research  analyst  and  at  Capi¬ 
tal  One  Financial  as  an  information  security  architect. 

Gutmann  holds  an  hon¬ 
ors  BA  from  Wilfrid  Lau- 
rier  University  in  Waterloo, 
Ontario,  where  she  studied 
historical  archaeology.  The 
subject,  she  says,  had  a  bear¬ 
ing  on  her  choice  of  careers. 
In  her  last  year  of  school, 
her  professor  recorded  the 
class’s  artifacts  on  a  com¬ 
puter  punch  card,  in  order 
to  produce  maps  of  where 
everything  was  found.  This 
piqued  Gutmann’s  inter- 
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est  in  computers,  leading  her  to  obtain  a  computer 
programming  diploma  from  Honeywell  Institute  in 
Toronto.  She  did  some  programming  and  end-user 
support  work  at  Black  &  Decker,  Honeywell  and 
Xerox,  where  she  also  did  some  sales  work.  “That 
experience  gives  you  incredible  skills,  because 
security  is  all  about  selling  the  mission  and  getting 
people  to  understand  their  risk  or  exposure,  and 
the  benefit  of  addressing  that.” 

Marco  Fidanza 

Director  of  Security, 

Takeda  Pharmaceuticals 


“ON  MY  INTERNAL  team,  I’ve  got  about  to  FTE  security 
management  folks,  and  we  use  an  outsourced  security 
provider  for  security  operations.  I  emphasize  project¬ 
ing  a  professional  image  in  deed  and  action.  For  instance, 
we  don’t  use  the  word  guard  or  say  guard  booth ;  we  use  the 
word  checkpoint.  We  constantly  strive  to  professionalize 
people  on  the  operational  side,  from  investigations  all 
the  way  through.  Our  officers,  no  matter  what  level,  we 
view  as  our  team.  They  are  our  extended  team,  no  matter 
what  level  they’re  at. 

“What  I  struggle  with  and  sometimes  get  flabber¬ 
gasted  at  is  the  unprofessionalism  I  see  in  security 
providers.  What  I’ve  seen  is  people  not  holding  them 
accountable.  You’re  trying  to  fight  that  lowest  common 
denominator.  I’ll  hear,  ‘Well,  XYZ  Co.  doesn’t  ask  us  for 
KPIs;  why  do  you  need  them?’  So  I  need  to  be  clear  that 
it’s  our  expectation. 

“In  the  end,  it’s  about  relationships,  holding  people 
accountable  and  surrounding  yourself  with  people  who 
challenge  you.  While  it  might  be  comfortable  to  sur¬ 
round  ourselves  with  people  who  think  like  us,  in  my 
view  it’s  not  healthy  because  you  get  a  jaded  or  one-sided 

perspective.” 

Marco  Fidanza 
joined  Takeda 
Pharmaceuticals 
in  2001  with  the 
mission  of  build¬ 
ing  the  company’s 
security  function 
from  scratch.  The 
security  department 
now  encompasses 
brand  protection, 
information  protec¬ 
tion,  security  opera¬ 
tions,  investigations 
and  crisis  manage- 
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ment  oversight. 

Prior  to  Takeda,  Fidanza 
was  a  manager  of  security 
investigations  at  Abbott 
Laboratories,  where  he  was 
responsible  for  global  com¬ 
pany  investigations.  He 
began  his  career  at  United 
Airlines,  starting  as  an 
internal  auditor,  respon¬ 
sible  for  operational  audits 
at  Takeda’s  global  locations. 
“I  like  to  describe  myself  as 
a  recovering  auditor,”  he 
says.  “It’s  where  I  cut  my  teeth  on  the  area  of  fraud.”  He  was 
later  promoted  to  corporate  security  representative  at  United 
and  was  the  first  non-FBI  person  to  work  in  the  department. 
At  that  point,  he  made  a  complete  transition  into  the  security 
profession,  working  on  employee  investigations  and  fraud. 

While  at  Takeda,  Fidanza  was  a  member  of  the  team  that 
constructed  a  new  Takeda  corporate  campus  in  the  Chicago - 
land  area.  He  was  instrumental  in  developing  a  state-of-the-art 
security  master  plan  and  architecture  to  protect  and  safeguard 
personnel  and  company  assets.  The  campus  was  selected  as 
“construction  project  of  the  year”  in  the  Chicago  real  estate 
community. 

Fidanza  holds  a  business  administration  degree  from 
Loyola  University  of  Chicago  and  has  previously  been  a  CPA 
and  a  Certified  Fraud  Examiner. 


Jim  Hutton 


CSO  and  Director  of  Global 
Security,  Procter  &  Gamble 

“THERE  WAS  A  huge  cultural  difference  between  the 
two  companies.  Gillette  was  engineering-based,  focused, 
deliberate  and  quicker  to  make  decisions.  P&G  is  a  mar¬ 
keting  company  whose  culture  is  all  about  ideas  and 
collaboration. 

“It’s  all  about  confidence  in  your  ability  to  understand 
the  business  or  organization,  and  your  confidence  in 
your  ability  to  develop  and  deliver  solutions  and  be  able 
to  measure  those  solutions.  Don’t  fall  into  the  trap  where 
security  falls  into  the  backseat  and  is  told  what  to  do.  Go 
into  the  C  suite  and  own  the  room.  It  really  doesn’t  mat¬ 
ter  whether  we’re  talking  physical  or  cyber  security. 

“What  does  the  business  need  from  you?  If  they  know 
they’re  being  heard  and  listened  to,  you  will  gain  momen¬ 
tum,  and  soon  your  phone  starts  ringing.  It’s  almost  a 
[sales]  account  rep  mentality.” 

Jim  Hutton  became  chief  security  officer  and  director 
of  global  security  at  Procter  &  Gamble  in  2005,  after  P&G 
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acquired  Gillette,  where  he  had  served  as  vice  president  and 
CSO.  He  joined  Gillette  in  1993,  serving  in  a  variety  of  increas¬ 
ingly  responsible  security  positions  in  the  finance  and  admin¬ 
istration  areas.  Today  at  P&G,  he  heads  worldwide  security 
direction  and  consultation  for  all  business  units. 

Trained  as  a  special  education  teacher,  Hutton  spent  three 
years  in  that  field  before  enrolling  in  law 
school.  Midway  through  the  process  of 
obtaining  his  degree,  he  accepted  a  posi¬ 
tion  at  the  U.S.  Department  of  State’s 
Bureau  of  Diplomatic  Security,  where 
he  worked  for  10  years.  This  agency  is 
responsible  for  the  protection  of  U.S. 
diplomatic  personnel,  information  and 
facilities  around  the  world.  During  his 
tenure  there,  he  served  as  a  special 
agent,  watch  officer  and  counterterror¬ 
ism  intelligence  analyst,  and  received 
the  Meritorious  Honor  Award  in  1992. 

“They  were  all  unique,  building-block 
opportunities,”  he  says.  “They  taught 
us  everything,  and  I  was  grounded  in  a 
number  of  disciplines  that  continue  to 
serve  me  well.” 

A  native  of  Philadelphia,  Hutton  is  a  graduate  of  West  Ches¬ 
ter  University,  where  he  earned  a  BS  in  1979.  He  is  a  member  of 
the  American  Society  for  Industrial  Security  and  earned  the 
Certified  Protection  Professional  designation  in  1997.  Hutton 
is  also  active  in  the  International  Security  Management  Asso¬ 
ciation,  on  the  Security  Executive  Council  and  on  the  North¬ 
eastern  University  Cooperative  Education  Employer  Advisory 
Board.  In  2003,  he  was  invited  by  then- Secretary  of  State  Colin 
Powell  to  participate  in  a  leadership  role  in  the  Overseas  Secu¬ 
rity  Advisory  Council  (OSAC),  a  forum  that  provides  security 
guidance  to  U.S.  businesses  abroad.  He  currently  leads  the 
OSAC  Committee  for  Country  Council  Outreach. 

John  McClurg 

Vice  President  and  CSO  of 
Global  Security,  Honeywell 


“MY  [FBI]  BOSS  came  out  and  yelled,  ‘Who  here  knows 
anything  about  Unix?’  I  grew  up  in  Libya  before  the  Six 
Day  War,  and  I  knew  all  about  eunuchs.  So  when  he  came 
in,  I  didn’t  know  why  he  was  asking  about  eunuchs,  but 
I  raised  my  hand.  He  handed  me  a  file  and  said,  ‘This  is 
critical;  we  need  to  get  right  on  it.’  I  opened  up  the  file 
and  didn’t  see  anything  about  eunuchs  in  there.  It  was 
a  serious  misstep,  but  then  again,  the  FBI  at  the  time 
also  didn’t  have  anyone  who  knew  anything  about  Unix, 
either.  In  the  end,  I  reached  out  to  Sun  Microsystems, 
which  gave  me  an  engineer  to  help  me  through  it. 


“The  lesson  is  to  embrace  the  improbable  or  the 
unknown.  That  day,  there  were  literally  people  head¬ 
ing  for  the  door  when  the  boss  asked  who  would  take  on 
this  unknown  opportunity.  But  the  unknown  can,  in  fact, 
work  its  way  back  around  as  our  friend.” 

John  McClurg  serves  as  vice  president  and  CSO  of  Honey¬ 
well’s  Global  Security  Organization.  He 
is  responsible  for  the  strategic  focus 
and  tactical  operations  of  Honeywell’s 
internal  global  security  services,  both 
physical  and  cyber.  He  is  also  charged 
with  advancing  business  continuity, 
seamlessly  integrating  Honeywell’s, 
security  offerings  and  improving  the 
effectiveness  of  security  initiatives. 

Before  joining  Honeywell,  McClurg 
served  as  the  vice  president  of  global 
security  at  Lucent  Technologies/Bell 
Laboratories  and  in  the  U.S.  Intel¬ 
ligence  Community;  he  was  also  a 
twice-decorated  member  of  the  FBI, 
where  he  held  an  assignment  with  the 
U.S.  Department  of  Energy  (DoE)  as 
a  branch  chief  charged  with  establishing  a  cyber-counterin¬ 
telligence  program  within  the  DoE’s  newly  created  Office  of 
Counterintelligence.  Prior  to  the  DoE  post,  McClurg  served 
as  a  supervisory  special  agent  within  the  FBI,  assisting  in  the 
establishment  of  what  is  now  known  as  the  National  Infra¬ 
structure  Protection  Center  within  the  Department  of  Home¬ 
land  Security.  McClurg  also  served  on  assignment  as  a  deputy 
branch  chief  with  the  CIA,  helping  to  establish  the  Counter¬ 
espionage  Group.  He  was  also  a  special  agent  for  the  FBI  in 
the  Los  Angeles  Field  Office,  where  he  implemented  plans  to 
protect  critical  U.S.  technologies  targeted  for  unlawful  acquisi¬ 
tion  by  foreign  powers,  and  served  on  one  of  the  nation’s  first 
Joint  Terrorism  Task  Forces. 

McClurg  holds  a  JD  degree  from  Brigham  Young  University, 
is  a  member  of  the  Utah  Bar  Association,  chairs  the  Awareness 
and  Innovation  Committee  of  the  Overseas  Security  Advisory 
Council  of  the  U.S.  Department  of  State  and  sits  on  the  FBI’s 
Domestic  Security  Alliance  Council.  He  also  holds  an  MA 
in  organizational  behavior,  BS  and  BA  degrees  in  university 
studies  and  philosophy  from  Brigham  Young,  and  advanced 
doctoral  studies  in  philosophical  hermeneutics  at  UNC- 
Chapel  Hill  and  UCLA. 

All  in  all,  McClurg  has  spent  10  years  in  academia,  10  years 
in  government  and  almost  12  years  in  the  commercial  sector. 
“Like  a  proud  father,  I  love  all  those  periods  of  my  life,”  he  says. 
“They’ve  come  together  in  a  way  that  I  can  capitalize  on  the 
knowledge  from  each  sector,  which  speaks  to  the  richness  of 
the  environment  I  currently  work  in.”  ■ 


Mary  Brandel  is  a  freelance  writer  based  outside  of  Boston.  Send 
feedback  to  Editor  Derek  Slater  at  dslater@cxo.com. 


34  www.csoonline.com  May  2008 


What  are  you  willing  to  put  on  the  line? 

Certainly  not  the  growth,  knowledge,  and  insight  that 
can  be  obtained  through  the  continuing  education, 
peer-to-peer  discussions,  and  innovative  solutions 
available  at  ASIS  2008,  the  world's  leading  event 
dedicated  to  security. 

At  ASIS  2008  you'll  find  the  tools  you  need  to  assess 
and  mitigate  your  security  risk  from  every  angle. 

With  more  than  160  educational  sessions  vetted  by 
real-world  practitioners  who  are  eager  to  share  the 
very  latest  intelligence  and  techniques,  ASIS  delivers  a 
curriculum  focused  on  achieving  a  balanced  approach 
to  security  throughout  your  entire  organization. 


Come  for  the  education,  stay  for  the  countless 
networking  opportunities  and  vast  exhibit  hall, 
because  security  is  in  focus  24/7  at  ASIS  2008. 

Visit  www.asisonline.org/asis2008  or  call 
1-703-519-6200  to  register  or  for  more  information. 


TOM  BROKAW 

Legendary  NBC 
Newsman  and  Author 


JAMES  CARVILLE 

Media  Personality  and 
Political  Icon 


MARY  MATALIN 

Political  Strategist  and 
Presidential  Advisor 


JAMES  BRADLEY 

Best-selling  Author  of  Flags 
of  Our  Fathers 


Three  years  running,  named  one 
of  the  50  fastest  growing 
tradeshows  in  North  America. 


ASIS 
2008 


ASIS  INTERNATIONAL  200; 

54th  Annual  Seminar  and  Exhibits 
September  15-18,  2008  I  Atlanta,  GA 
www.  asisonline.  org/asis2008 
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By  Anonymous 


A  Contract  Killing 

Think  government  work  is  devoid  of  drama?  Think  again! 


The  government  doesn’t  get  its 
fair  due  for  drama.  To  wit,  I 
was  the  security  lead  on  an  IT 
services  contract  with  a  govern¬ 
ment  agency,  on  a  job  that  went 
from  routine  to  rollicking.  A  little  back¬ 
ground:  This  contract  required  training  in  a 
wide  variety  of  areas— mischarging,  sexual 
harassment,  security  and  privacy,  conflict 
of  interest,  and  others  that  focused  on  con¬ 
fidentiality,  integrity  and  ethics.  Complete 
participation  was  required  per  the  contract. 
Failure  to  do  so  could  lead  to  termination. 
Emphasis  on  the  “could.” 

After  a  mini  St.  Valentine’s  Day  Mas¬ 
sacre— a  letter  received  on  Valentine’s  Day 
alerting  our  company  that  our  ratings  were 
in  the  low  70s,  meaning  no  contract  bonus 
and  the  certainty  that  heads  would  roll— a 
new  Program  Manager  was  brought  in.  He 
was  a  fixer,  brought  in  to  correct  the  course 
of  this  contract.  We  soon  found  the  fixer 
was  really  a  “rule  by  intimidation  and  ridi¬ 
cule”  type  of  leader.  His  job  was  to  improve 
the  periodic  ratings  in  order  to  secure  mil¬ 
lions  in  bonus  dollars.  His  compensation 
hinged  upon  this.  Dollars  were  awarded 
based  upon  the  ratings  derived  from  spe¬ 
cific  measurements  as  per  the  contract. 

Our  job  was  peripheral  to  this  bigger 
contract  drama— until  we  actively  scanned 
for  vulnerabilities  and  found  an  anomaly 
we  could  not  verify.  Like  an  arsonist  call¬ 
ing  in  the  fire,  a  tech  lead  pointed  us  toward 
a  couple  of  IP  addresses  that  we  could  not 
scan.  We  traced  the  IP  numbers  to  their 
physical  location  and  found  two  servers 
located  in  an  office.  Per  the  requirements 
of  the  contract,  we  began  to  gather  infor¬ 
mation  off  the  two  servers.  What  we  found 
on  those  servers  was  quite  exciting— and 
extremely  disturbing: 


■  W2K3  running  on  both; 

■  Eval  copies  with  cracked  licenses  now 
unlimited; 

■  Illegal  copies  of  firewall  software  with 
rules  specifically  established  to  obfus¬ 
cate  any  detection. 

Firewall  rules  were  created  to  allow  by 
IP  and  name.  Those  named  were  part  of 
the  contract’s  two  warring  IT  factions— IT 
operations  and  IT  engineering— which 
were  engaged  in  a  struggle  for  control  of 
the  IT  landscape.  Dynamic  IP  allocation 
was  required  for  all  within  the  organiza¬ 
tion.  Those  with  static  IPs  needed  security 
approval.  This  had  not  occurred.  Having  a 
static  IP  allowed  one  such  conspirator  to 
access  the  servers  in  question  off  the  inter¬ 
nal  network.  His  full  name  was  on  the  rule. 

The  servers  had  never  been  patched  or 
upgraded.  The  servers  were  running  anti¬ 
virus  software  illegally  acquired,  loaded 


and  never  updated.  They  held  100GB  of 
production  data  (including  all  server  and 
desktop  images  for  the  organization). 

One  of  the  contract’s  employees  was 
running  a  real  estate  business  on  one  of 
the  servers.  All  customer  information 
(PII),  financials  and  home  listings,  plus 
e-mail-snail  mail  distribution  lists  were 
stored  there.  Meanwhile,  other  documents 
indicated  a  love  affair  between  four  other 
employees  on  the  contract.  Their  liaisons 
were  dangerous,  and  not  just  because  two 
of  them  were  married— they  were  also  tak¬ 
ing  place  in  this  office  (they  fought  about 
tryst  schedules  in  the  documents  we  had). 
There  were  rumors  of  sex  videos  stored 
on  the  servers.  Despite  our  best  efforts,  we 
were  unable  to  locate  what  would  have  been 
valuable  evidence. 

For  those  keeping  score,  there  were  sev¬ 
eral  types  of  computer  crime  happening 
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here,  each  a  felony  violation  of  Section  1030 
of  the  United  States  Code  (noninclusively): 

■  Fraud  achieved  by  the  manipulation  of 
computer  records; 

■  Deliberate  circumvention  of  computer 
security  systems; 

■  Unauthorized  access  to  or  modification 
of  programs  (see  software  cracking 
and  hacking); 

■  Intellectual  property  theft,  including 
software  piracy. 

We  secured  the  servers  and  moved 
them  to  my  office.  We  started  to  forensically 
image  the  servers,  which  had  never  been 
backed  up,  despite  nearly  20  months  on  the 
job.  I  informed  the  Deputy  Program  Man¬ 
ager  (DPM)  that  they  were  secured  in  my 
locked  office  and  they  were  being  backed 
up.  The  whole  process  would  eventually 
take  four  days. 

As  each  day  came,  the  pressure 
mounted— the  contract  required  us  to 
report  these  incidents,  but  the  Program 
Manager  (PM),  the  Deputy  PM  and  the  IT 
Ops  Manager  wanted  it  hushed  up.  I  was 
called  into  a  meeting  with  the  PM,  DPM 
and  the  IT  Ops  Manager,  who  presided  over 
the  fornicating  four. 

The  PM  combined  the  physical  features 
of  the  pointy-haired  boss  with  a  Mutley- 
like  laugh.  His  management  style  was  to 
glare  menacingly  at  all  near  him,  part  of  an 
effort  to  rule  through  continuous  and  mul¬ 
tiple  levels  of  attempted  intimidation.  He 
would,  however,  relax  and  beam  with  pride 
as  he  reminisced  about  selling  dope  on  the 
library  steps  during  college. 

The  DPM  was  a  good-hearted  sidekick 
who  maintained  a  perpetual  deer-in-the- 
headlights  stare  that  was  broken  only  by 
the  incessant  opening  and  closing  of  his 
mustachioed  upper  lip  as  his  nicotine  stick 
and  caffeine  drip  passed  into  his  needy, 
anxiously  awaiting  ecosystem. 

We  are  required  by  contract  to  inform 
the  government  of  any  such  incidents 
within  a  certain  time  frame,  and  it  was 
getting  late  with  respect  to  informing  my 
government  counterparts.  Regardless,  my 
peers  would  be  informed  (I  knew  some¬ 
thing  the  PM  didn’t— that  the  CTO  had 
decided  to  inform  the  agency  CTO  of  the 
situation).  This  meeting  was  not  to  query 
what  was  being  found.  They  already  knew 
what  was  going  to  be  found.  You  see,  the  IT 
Ops  Manager  had  purchased  these  servers 


20  months  ago  and  had  authorized  their  use 
as  a  backdoor  way  to  meeting  operational 
goals  without  federal  scrutiny.  Even  so,  the 
operational  goals  hadn’t  been  met— unless 
you  consider  running  a  business  from  a 
federal  government  server  an  operational 
goal. 

The  meeting  started  with  my  chair  posi¬ 
tioned  in  a  location  under  the  direct  gaze  of 
the  other  three.  They  had  prepared  their 


line  of  questioning  and  felt  confident  they 
would  achieve  their  desired  results.  Prior  to 
the  meeting,  I  had  the  facilities  staff  change 
the  lock  on  my  door.  The  new  lock  did  not 
work  with  the  master  key  for  that  office 
area  (I  acquired  all  keys  to  my  door). 

I  came  to  the  meeting  armed  with  the  ini¬ 
tial  draft  report,  distributing  the  evidence 
to  the  three  interrogators.  They  peppered 
me  with  hostile  questions  about  my  intent 
in  taking  the  servers  and  what  I  would 
include  in  my  report.  I  informed  them  that 
any  and  all  findings  would  be  included  in 
the  report  as  per  contract  requirements  and 
standard  incident  handling  procedures. 
Why?  It’s  standard  protocol  to  review  all 
incidents  and  subsequent  findings/report 
prior  to  delivery.  After  they  had  exhausted 
themselves,  we  reviewed  the  draft  report. 
There  were  no  redlines,  since  the  report 
was  objective  in  nature— as  required.  The 
facts  were  stated  and  evidence  provided.  Of 
note,  two  of  the  four  involved  in  this  inci¬ 
dent  had  left  the  company  one  week  prior  to 
the  discovery  of  these  servers.  It  is  apparent 
to  me  that  the  warring  factions  had  reached 
an  impasse  and  new,  more  severe  battles 
were  taking  place  in  the  shadows.  My  role 
was  that  of  a  pawn  for  one  and  an  enemy 
for  the  other. 

That  afternoon,  I  called  my  counterpart. 
He  was  initially  stunned  at  the  incident.  He 
had  a  hard  time  believing  that  this  activity 
could  go  undiscovered  for  more  than  a  year 
and  a  half  in  an  office  in  the  same  building 
as  his.  I  sent  the  draft  report  to  him  before 
ending  the  conversation.  In  the  evening,  I 
secured  my  office  and  left  with  my  laptop. 


The  next  day  brought  a  new  round  of 
questioning  and  inquisition.  It  was  evident 
that  someone  had  attempted  to  access  my 
office  after  I  had  left.  The  DPM  and  PM 
were  soon  at  my  door  to  view  the  situation. 
I  noticed  the  PM’s  interest  in  the  doorknob. 
He  worked  the  handle  and  examined  the 
lock,  with  more  than  casual  intent. 

They  were  obviously  anxious  for  an 
initial  ruling  from  the  customer.  I  soon 


received  a  phone  call  from  my  federal  coun¬ 
terpart.  He  asked: 

■  When  will  the  servers  be  back  online? 

■  How  will  you  prevent  this  from  hap¬ 
pening  again? 

I  indicated  that  all  software  must  be  legal 
and  that  the  PM  had  agreed  to  purchase  all 
necessary  software  (minus  the  firewall). 
The  servers  would  be  placed  within  the 
data  center  and  entered  into  the  normal 
patch  management  and  backup  cycles.  As 
for  how  to  prevent  this  from  occurring 
again,  I  promised  I  would  perform  a  com¬ 
munist  purge  with  those  responsible  sent 
to  a  gulag.  Actually,  we  drafted  a  plan  to 
perform  more  frequent  vulnerability  scans 
and  network  mappings  as  well  as  periodic 
announced  and  unannounced  physical 
reviews  of  contractor  accessible  offices. 

Even  though  the  evidence  was  clear, 
concise  and  indisputable,  no  disciplinary 
action  was  ever  taken  (of  course  my  options 
were  but  one).  Should  I  have  reported  this 
to  the  Inspector  General?  It  was  in  fact  the 
responsibility  of  my  federal  counterpart. 
The  felonies  committed  would  be  swept 
under  the  rug  and  the  incident  forgotten. 
Other  copies  may  have  been  made  of  the 
data  as  methods  of  protection  and  self-pres¬ 
ervation,  but  that  is  just  speculation. 

We  returned  the  servers  so  they  could 
upgrade  the  software  per  the  plan,  entering 
them  back  into  production.  Three  months 
later,  I  left  the  contract.  ■ 


Undercover  is  written  anonymously 
by  a  real  CSO.  Please  send  feedback  to 
csoundercover@cxo.com. 


It  was  evident  that  someone  had 

attempted  to  access  my  office  after  l 
had  left. 
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[  INDUSTRY  VIEW] 

By  Bob  Bradley 


Enterprise  VoIP  Security 

Voice  over  IP— like  all  data  security— requires  a  defense-in-depth  approach 


The  threats  facing  voice  over  IP 
are  numerous.  Most  organiza¬ 
tions  have  developed  security 
best  practices  and  policies, 
but  these  policies  are  often 
not  extended  to  cover  protection  of  the  IP 
network.  Because  there  are  specific  VoIP 
issues  that  must  be  addressed,  enterprises 
must  also  conduct  a  risk  audit  that  will  pro¬ 
vide  them  with  the  information  needed  to 
secure  the  VoIP  network. 

Today,  there  is  excellent  guidance 
readily  available  from  standards  bodies, 
industry  consortia  and  government  agen¬ 
cies  on  how  to  define  and  augment  exist¬ 
ing  security  practices  to  support  VoIP  and 
other  session-style  traffic  (IM,  video).  Once 
a  policy  is  created  or  updated  and  associ¬ 
ated  risks  are  identified,  there  are  multiple 
paths  for  information  security  managers  to 
take  to  meet  their  goals. 

As  in  the  pure,  data-only  world,  VoIP 
security  can  be  achieved  either  through 
internal  sources  or  via  managed  out¬ 
sourcing.  Carriers  are  beginning  to  offer 
the  option  of  outsourcing  the  provision¬ 
ing,  deployment  and  ongoing  monitoring 
of  VoIP  equipment.  VoIP  elements  such 
as  Class  5  feature  servers,  registrars,  IP 
PBXs  and  the  network  border  switches 
(or  firewalls)  can  be  managed  either  at  the 
customer’s  premises  or  as  a  hosted  service, 
with  these  elements  residing  in  the  carrier’s 
administrative  domain.  Often  this  boils 
down  to  a  matter  of  scope,  cost  and  resource 
constraints  on  the  end  user’s  side. 

Businesses  that  plan  to  manage  secu¬ 
rity  internally  can  extend  their  existing 
infrastructure  while  maintaining  a  layered, 
“defense-in-depth”  approach.  The  first  com¬ 
ponent  deployed  is  often  a  secure  IP-edge 
element,  such  as  a  network  border  switch. 


The  network  border  switch  represents  the 
evolution  of  legacy  session  border  control¬ 
ler  (SBC)  appliances  by  their  integration  of 
security,  call  control,  media  support,  seal- 
ability  and  performance.  In  this  role,  the 
network  border  switch  provides  enter¬ 
prises  with  their  first  line  of  defense  on  the 
perimeter  at  network  demarcation  points. 
The  network  border  switch’s  role  becomes 
even  more  important  as  enterprises  with 
multiple  locations  become  more  vulner- 

Most  organizations 
have  developed 
security  best 
practices  and 
policies,  but 
these  policies 
are  often  not 
extended  to  cover 
protection  of  the  IP 
network. 

able  to  denial-of-service  (DoS)  attacks  by 
interconnecting  via  the  public  Internet  to 
carry  both  external  and  intracompany  VoIP 
traffic,  in  lieu  of  dedicated  connections.  In 
this  scenario,  enterprises  can  mitigate  risk 
by  implementing  a  split  DMZ-style  topol¬ 
ogy  for  VoIP  elements  front-ended  with  an 
SBC.  This  deployment  can  be  used  to  pro¬ 
tect  the  VoIP  network,  similar  to  solutions 
used  to  secure  Web  server  farms  and  data¬ 
base  systems  from  DoS  attacks.  As  you  look 
to  protect  the  network  from  the  inside  out, 
it  is  important  to  recognize  that  although 
built  on  IP,  VoIP  network  elements  such 


as  provisioning  systems,  billing  systems, 
SIP  servers  and  IP  PBXs  have  common 
vulnerabilities  with  their  non-VoIP  coun¬ 
terparts.  This  is  because  these  systems  are 
based  on  commercial,  off-the-shelf  (COTS) 
items,  such  as  commodity  operating  sys¬ 
tems  (Solaris,  Linux,  Windows),  that  run 
on  general-purpose  computers.  Other 
COTS  components  may  be  protocol  stacks 
(TCP/IP)  from  OEMs  that  are  embedded 
in  proprietary  platforms.  As  such,  vulner¬ 
abilities  may  exist,  but  protection  against 
intrusions  and  exploits  can  be  mitigated  by 
proper  hardening,  just  as  their  non-VoIP 
counterparts  are  provisioned  today. 

In  addition  to  these  traditional  weak¬ 
nesses,  VoIP-specific  vulnerabilities  such 
as  SIP  protocol  stack  corruption  may  exist. 
These  threats  can  be  mitigated  by  many  of 
the  same  general  techniques  used  for  pro¬ 
tection  at  the  lower  layer.  Given  the  session 
state  nature  of  SIP,  organizations  need  a 
class  of  session-aware  devices,  such  as  the 
SBC  described  earlier.  Consider  placing 
VoIP  phones  on  separate,  secured  VLANs 
to  protect  against  unauthorized  devices 
that  may  eavesdrop  on  internal  commu¬ 
nication  and  lead  to  theft  or  fraud.  VoIP 
devices  should  be  isolated  so  inbound  and 
outbound  traffic  is  limited  and  can  be  eas¬ 
ily  controlled  by  a  call  manager.  Businesses 
should  implement  encryption  technology 
as  well  to  secure  calls  that  travel  over  public 
networks  to  prevent  the  fraudulent  use  of 
VoIP,  including  authentication  exploitation 
and  theft.  ■ 


Bob  Bradley  is  product  line  manager  of  secu¬ 
rity  solutions  for  Sonus  Networks.  He  can  be 
reached  at  rbradley@sonusnet.com.  This 
article  is  excerpted  from  the  full  version  avail¬ 
able  at  www.csoonline.com/article/329020. 
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Building  a  Holistic  Risk  Approach: 
The  Power  of  Leveraging 

Hosted  by  Alta  Associates,  Inc.  the  6th  Annual  Executive  Women’s  Forum 
(EWF)  brings  together  more  than  200  women  of  influence,  power  and 
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and  organizations  to  achieve  success. 
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AGENDA 


>  Keynote:  Leveraging  Your  Unique 
Strengths,  Val  Rahmani,  General 
Manager  IBM  ISS,  Security  &  Privacy 

>  Convergence:  The  Good,  the  Bad  & 
the  Ugly 

>  Emerging  Technologies  and 
Emerging  Workforces 

>  Managing  Risk  in  a  Flatter  World 


>  Protecting  Privacy:  Leveraging 
Relationships  Internally  and  Externally 
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WOMEN  OF  INFLUENCE 
AWARDS 

Nominate  your  peers,  clients  and 
customers  for  the  Women  of  Influence 
Awards.  Co-presented  by  CSO  magazine 
and  Alta  Associates,  the  awards  honor 
four  women  for  their  accomplishments 
and  leadership  roles  in  the  fields  of 
security,  risk  management  and  privacy. 
Winners  will  be  announced  at  an  awards 
ceremony  during  the  Executive  Women’s 
Forum. 

NOMINATION  FORM  AVAILABLE  AT: 

http://public.cxo.com/awards/ 

W0l_2008_application.html 

Nominations  must  be  submitted  by 
August  1, 2008. 
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[  debriefing] 

PopQuiz 


Going  Postal 

1  About  how  many  pieces  of  mail  does  the  U.S. 
Postal  Inspection  Service  safeguard  per  second? 

a.  23  b.  986  C.  6,718  d.  9,146 

2.  How  many  arrests  did  the  USPIS  make  in 
2007  for  violations  of  the  postal  code? 

a.  23  b.  986  c.  6,718  d.  9,146 

3.  What  percentage  of  these  arrests  were 
for  shipping  real  or  hoax  hazardous 
substances  such  as  anthrax? 

a.  Less  than  15  percent  c.  Less  than  5  percent 

b.  Less  than  10  percent  d.  Less  than  1  percent 

4.  Which  of  the  following  did  the 
USPIS  not  do  last  year? 

a.  Investigate  a  postal  employee  who  was  allegedly 
stealing  DVDs  out  of  the  mail  sort  and  who  was  found 
to  have  8,177  DVDs  worth  $117,000  at  his  house. 

b.  Detect  and  stop  the  mailing  of  enough  red  phosphorous  and  iodine 


to  produce  1,400  pounds  of  crystal  meth  worth  $12.4  million. 

c.  Create  a  new  unit  in  charge  of  inspecting 
postal  facilities’  interoffice  mail. 

d.  Oversee  the  destruction  of  $14  million  of  stamps 
in  Boston  after  postage  rates  went  up. 

5.  Over  the  course  of  five  years,  Westport, 
Conn.,  plastic  surgeon  Dr.  Steven  Herman 
had  household  help  purchase  $800,000 
worth  of  money  orders;  each  purchase 
was  made  with  $700  cash.  Why? 

a.  He  was  investing  his  money  safely  and  shielding  it  from  taxation. 

b.  He  was  skimming  from  his  business  and  used  small 
chunks  to  avoid  having  to  report  the  money. 

c.  He  was  part  of  a  mail-based  crystal  meth  ring. 

d.  He  used  the  money  orders  as  gifts  for  the  household  employees. 

6.  What  did  Herman  do  with  $300,000 
of  his  postal  money  orders? 

a.  Bought  several  high-end  cars 

b.  Gave  it  to  his  girlfriend,  who  used  some  of  it  for  plastic  surgery 

c.  Put  a  down  payment  on  a  ski  house  in  Vermont 

d.  Hid  it  under  his  mattress 

7.  Postal  inspectors  responded  to  3,049 
cases  of  potential  hazardous  substances 
in  the  mail.  What  percentage  of  those 
were  deemed  actually  hazardous? 

a.  0  percent  b.  3  percent  c.  6  percent  d.  11  percent 

8.  True  or  False:  U.S.  Postal 
police  officers  are  armed. 

9.  Which  of  the  following  did  the 
USPIS  not  do,  historically? 

a.  Interview  Billy  the  Kid  in  connection  with  a  mail  robbery. 

b.  Escort  the  nation’s  gold  reserves  from  New  York  to  Fort  Knox. 

c.  Create  the  postage-by-weight  business  model  after  Noah 
Webster  published  and  began  mailing  his  dictionary. 

d.  Arrest  televangelist  Jim  Bakker. 

BONUS  QUESTION:  In  1792,  what  penalty 
did  Congress  impose  for  stealing  mail? 
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How’d 
YOU  DO? 


0-3  Correct:  Return  to  Sender 
4-7  Correct:  Standard  Postage 
8-10  Correct:  Priority  Mail! 
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SECURITY  MANAGER' 


www.  isaca.  org/csomag 


iSK  comes  in  many  rori 

Maldm  risk,  intelligent  decisions 
to  manage  security 


Information  security,  privacy  &  data  protection  are  management  issues  with  global  business  implications.  The  associatei 
risks  of  doing  business  today  need  to  be  clearly  understood  in  order  to  effectively  manage  your  business  and  protect 
your  organization. 


Managing  information  security  &  privacy  risk  at  the  enterprise  level  enables  companies  to  achieve  more  efficient  and 
effective  security  and  data  protection  processes  and  programs.  Issues  such  as  stakeholder  value,  consumer  confidence, 
brand  and  reputation  protection,  and  legal  and  regulatory  compliance  can  be  addressed.  The  Security  &  Privacy 
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As  an  industry  leader  offering  global  security  and  privacy  solutions,  we  are  focused  on 
delivering  excellent  client  service  through  a  network  of  offices  in  nearly  1 50  countries. 
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Deloitte  is  a  Leader  in  Security  Consulting  with  Solid  Depth  and  Global  Reach.' 

"The  Forrester  Wave™:  Security  Consulting,  Q3  2007",  September  2007 

Deloitte  is  best  suited  for  combined  security  and  risk  management  solutions." 

"The  Forrester  Wave™:  Security  Consulting,  Q3  2007",  September  2007 


Visit  us  online  at  www.deloitte.com/us/security/CI03 
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